Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Ardana:8:CentOS
ardana-barbican
ardana-barbican-8.0+git.1585152761.8ef3d61.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ardana-barbican-8.0+git.1585152761.8ef3d61.obscpio of Package ardana-barbican
07070100000000000081A40000000000000000000000015E7B82F900000083000000000000000000000000000000000000003C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/.copyrightignoreroles/KEYMGR-API/templates/generate_kek roles/KEYMGR-API/README.md roles/KEYMGR-API/templates/api-logging.conf.j2 .copyrightignore 07070100000001000081A40000000000000000000000015E7B82F900000084000000000000000000000000000000000000003600000000ardana-barbican-8.0+git.1585152761.8ef3d61/.gitreview[gerrit] host=gerrit.suse.provo.cloud port=29418 project=ardana/barbican-ansible.git defaultremote=ardana defaultbranch=stable/pike 07070100000002000081A40000000000000000000000015E7B82F90000000C000000000000000000000000000000000000003900000000ardana-barbican-8.0+git.1585152761.8ef3d61/.rsync-filter- ardana-ci 07070100000003000081A40000000000000000000000015E7B82F90000279F000000000000000000000000000000000000003300000000ardana-barbican-8.0+git.1585152761.8ef3d61/LICENSE Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. 07070100000004000081A40000000000000000000000015E7B82F9000002A1000000000000000000000000000000000000003500000000ardana-barbican-8.0+git.1585152761.8ef3d61/README.mdREADME ====== This repository contains the following roles - KEYMGR-API: Barbican API server - KEYMGR-WKR: Barbican worker process for async order processing - barbican-common: Common variable and task declarations - barbican-monitor: Local and remote monitoring of Barbican API The verbs: - configure - configure the service/role - install - install the service/role - start - start the service/role - stop - stop the service/role The operations: - deploy - deploy the service (install, configure and start) - reconfigure - reconfigures the service Refer to README.md at roles/KEYMGR-API/ for reconfiguration instructions 07070100000005000081A40000000000000000000000015E7B82F90000036F000000000000000000000000000000000000004300000000ardana-barbican-8.0+git.1585152761.8ef3d61/_barbican-configure.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEYMGR-API gather_facts: True roles: - KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/configure.yml - hosts: KEYMGR-WKR roles: - KEYMGR-WKR tasks: - include: roles/KEYMGR-WKR/tasks/configure.yml07070100000006000081A40000000000000000000000015E7B82F900000368000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/_barbican-install.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEYMGR-API roles: - role: KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/install.yml - hosts: KEYMGR-WKR roles: - role: KEYMGR-WKR tasks: - include: roles/KEYMGR-WKR/tasks/install.yml 07070100000007000081A40000000000000000000000015E7B82F9000002EA000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/_barbican-schedule-restart.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Schedule a restart of all barbican services using ardana_notify_... variables - hosts: all tasks: - include: roles/barbican-common/tasks/_schedule_restart.yml07070100000008000041ED0000000000000000000000045E7B82F900000000000000000000000000000000000000000000003500000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci07070100000009000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000003D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project0707010000000A000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000004900000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model0707010000000B000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model/data0707010000000C000081A40000000000000000000000015E7B82F900000594000000000000000000000000000000000000006000000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model/data/control_plane.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- product: version: 2 control-planes: - name: ccp control-plane-prefix: ccp region-name: region1 failure-zones: - AZ1 - AZ2 - AZ3 common-service-components: - lifecycle-manager-target - openstack-client clusters: - name: cluster0 cluster-prefix: c0 server-role: - SERVER1-ROLE - SERVER2-ROLE - SERVER3-ROLE member-count: 3 allocation-policy: strict service-components: - lifecycle-manager - ntp-server - mysql - ip-cluster - rabbitmq - keystone-client - keystone-api - barbican-api - barbican-worker 0707010000000D000081A40000000000000000000000015E7B82F9000005CF000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model/data/servers.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- product: version: 2 baremetal: netmask: 255.255.255.0 subnet: 192.168.110.0 server-interface: eth2 servers: - id: server1 ip-addr: 192.168.110.3 role: SERVER1-ROLE server-group: AZ1 mac-addr: a4:93:0c:4f:7c:73 nic-mapping: VAGRANT ilo-ip: 192.168.109.3 ilo-password: password ilo-user: admin - id: server2 ip-addr: 192.168.110.4 role: SERVER2-ROLE server-group: AZ2 mac-addr: b2:72:8d:ac:7c:6f nic-mapping: VAGRANT ilo-ip: 192.168.109.4 ilo-password: password ilo-user: admin - id: server3 ip-addr: 192.168.110.5 role: SERVER3-ROLE server-group: AZ3 mac-addr: 8a:8e:64:55:43:76 nic-mapping: VAGRANT ilo-ip: 192.168.109.5 ilo-password: password ilo-user: admin 0707010000000E000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000003B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/tests0707010000000F000081A40000000000000000000000015E7B82F900000400000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/tests/test-plan.yaml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: Test reconfigure logfile: testsuite-reconfigure.log prefix: reconfigure playbooks: - barbican-reconfigure.yml - name: Validate barbican exec: - validate-barbican.bash - name: Test reboot logfile: reboot.log prefix: reboot vms: - reboot: server2 exec: - ansible-playbook -i hosts/verb_hosts barbican-start.yml - validate-barbican.bash 07070100000010000081ED0000000000000000000000015E7B82F900000308000000000000000000000000000000000000005200000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/tests/validate-barbican.bash# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #!/bin/bash ansible-playbook -i hosts/verb_hosts barbican-status.yml if [ $? -eq 0 ] then echo "Ok" else echo "Fail" exit 1 fi 07070100000011000081A40000000000000000000000015E7B82F90000039F000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-configure-monasca.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEYMGR-API:&MON-AGN roles: - role: barbican-monitor tasks: - include: roles/barbican-monitor/tasks/local_monitor.yml - hosts: KEYMGR-API:&MON-AGN roles: - role: barbican-monitor tasks: - include: roles/barbican-monitor/tasks/remote_monitor.yml 07070100000012000081A40000000000000000000000015E7B82F90000043A000000000000000000000000000000000000003F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-deploy.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Register necessary user, barbican roles, role assignment for api service. - hosts: KEYMGR-API roles: - role: KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/keystone_conf.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" - include: _barbican-install.yml - include: _barbican-configure.yml - include: barbican-start.yml - include: barbican-configure-monasca.yml 07070100000013000081A40000000000000000000000015E7B82F900000432000000000000000000000000000000000000005700000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-reconfigure-credentials-change.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: _barbican-configure.yml - hosts: KEYMGR-API roles: - KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/configure.yml - hosts: KEYMGR-API roles: - KEYMGR-API # This task should be set to run-once tasks: - include: roles/KEYMGR-API/tasks/keystone_change_pwd.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" - include: barbican-start.yml 07070100000014000081A40000000000000000000000015E7B82F9000005EB000000000000000000000000000000000000004400000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-reconfigure.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEYMGR-API gather_facts: True roles: - KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/configure.yml - hosts: KEYMGR-WKR roles: - KEYMGR-WKR tasks: - include: roles/KEYMGR-WKR/tasks/configure.yml # Register necessary user, barbican roles, role assignment for api service. - hosts: KEYMGR-API roles: - role: KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/keystone_conf.yml ansible_python_interpreter: "{{ KEY_CLI.vars.keystone_client_python_interpreter }}" # Split the tasks to enable serial restart - hosts: KEYMGR-API serial: "50%" roles: - role: KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/start.yml - hosts: KEYMGR-WKR serial: "50%" roles: - role: KEYMGR-WKR tasks: - include: roles/KEYMGR-WKR/tasks/start.yml - include: barbican-configure-monasca.yml 07070100000015000081A40000000000000000000000015E7B82F90000028D000000000000000000000000000000000000004000000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-restart.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: _barbican-schedule-restart.yml - include: barbican-start.yml 07070100000016000081A40000000000000000000000015E7B82F90000037C000000000000000000000000000000000000003E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-start.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEYMGR-API serial: 1 roles: - role: KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/start.yml - hosts: KEYMGR-WKR serial: 1 roles: - role: KEYMGR-WKR tasks: - include: roles/KEYMGR-WKR/tasks/start.yml 07070100000017000081A40000000000000000000000015E7B82F900000310000000000000000000000000000000000000003F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-status.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEYMGR-API max_fail_percentage: 0 roles: - role: KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/status.yml 07070100000018000081A40000000000000000000000015E7B82F900000362000000000000000000000000000000000000003D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-stop.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - hosts: KEYMGR-API roles: - role: KEYMGR-API tasks: - include: roles/KEYMGR-API/tasks/stop.yml - hosts: KEYMGR-WKR roles: - role: KEYMGR-WKR tasks: - include: roles/KEYMGR-WKR/tasks/stop.yml 07070100000019000081A40000000000000000000000015E7B82F900000345000000000000000000000000000000000000004000000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-upgrade.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: barbican-status.yml - include: barbican-stop.yml - include: _barbican-install.yml - include: _barbican-configure.yml - include: barbican-start.yml - include: barbican-status.yml 0707010000001A000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000003200000000ardana-barbican-8.0+git.1585152761.8ef3d61/config0707010000001B000081A40000000000000000000000015E7B82F9000004B2000000000000000000000000000000000000004800000000ardana-barbican-8.0+git.1585152761.8ef3d61/config/barbican-symlinks.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- symlinks: "barbican/barbican.conf.j2": roles/KEYMGR-API/templates/barbican.conf.j2 "barbican/barbican_deploy_config.yml": roles/barbican-common/vars/barbican_deploy_config.yml "barbican/barbican_kmip_plugin_config_sample.yml": roles/KEYMGR-API/files/samples/barbican_kmip_plugin_config_sample.yml "barbican/barbican_pkcs11_plugin_config_sample.yml": roles/KEYMGR-API/files/samples/ardana/barbican_pkcs11_plugin_config_sample.yml "barbican/policy.json": roles/KEYMGR-API/templates/policy.json "barbican/README.md": roles/KEYMGR-API/README.md 0707010000001C000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000003A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/filter_plugins0707010000001D000081ED0000000000000000000000015E7B82F900000748000000000000000000000000000000000000005900000000ardana-barbican-8.0+git.1585152761.8ef3d61/filter_plugins/barbican_master_key_decrypt.py# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # import base64 import imp import os.path path = os.path.dirname(os.path.realpath(__file__)) ardanaencrypt = imp.load_source('ardanaencrypt', path + '/../ardanaencrypt.py') encryption_class = 'openssl' ardanaencrypt_class = getattr(ardanaencrypt, encryption_class) # Method to decrypt the Customer defined encrypted key # It will only decrypt the key with prefix @ardana@ # Customer define this key, barbican_customer_master_key, in # roles/barbican-common/vars/barbican_deploy_config.yml def barbican_master_key_decrypt(value, *args, **kw): prefix = None if value.startswith(ardanaencrypt_class.prefix): prefix = ardanaencrypt_class.prefix # For upgrade cases, need to support existing encrypted values which may # have legacy prefix in-use. elif value.startswith(ardanaencrypt_class.legacy_prefix): prefix = ardanaencrypt_class.legacy_prefix if prefix is None: return value else: obj = ardanaencrypt_class() return obj.decrypt(base64.urlsafe_b64decode( value.encode('ascii', 'ignore')[len(prefix):])) class FilterModule(object): def filters(self): return {'barbican_master_key_decrypt': barbican_master_key_decrypt} 0707010000001E000081A40000000000000000000000015E7B82F900000707000000000000000000000000000000000000004D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/filter_plugins/check_variables.py# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # Create variable value validation filter def is_str_set(my_var, do_define_check=True): """Returns True if variable is set to a non-blank value. Input value is stripped on both end to make sure it has value. """ if do_define_check: try: my_var except NameError: my_var = None if my_var is None: return False elif isinstance(my_var, (int, long)): return my_var # return natural number as-is else: return my_var and my_var.strip() != '' def is_bool_true(my_var, do_define_check=True): """Check variable value can be converted to boolean True Case-insensitive input value of True, yes or 1 is treated as boolean True. """ if do_define_check: try: my_var except NameError: my_var = None if my_var and type(my_var) == type(True): return my_var else: return my_var and my_var.strip().lower() in ['yes', 'true', '1', 'on'] class FilterModule(object): def filters(self): return {'is_str_set': is_str_set, 'is_bool_true': is_bool_true, } 0707010000001F000041ED0000000000000000000000065E7B82F900000000000000000000000000000000000000000000003100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles07070100000020000041ED0000000000000000000000095E7B82F900000000000000000000000000000000000000000000003C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API07070100000021000081A40000000000000000000000015E7B82F90000439E000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/README.mdREADME ====== ## First Time Initial Master Key Setup When Barbican is used with *simple_crypto_plugin* as secret store backend, its master key needs to be defined **before initial deployment**. This backend is used when secrets are stored in its database. If you don't specify key before deployment, default master key is used (not recommended practice). ** Once master key is set, it must not be modified. ** ** Earlier if you defined your own encrypted master key, Before you run any playbooks ** ** remember that you need to export that encryption key in the following environment variable: ** ** export ARDANA_USER_PASSWORD_ENCRYPT_KEY=<encryption key> ** ** For more details on this, please refer to official Ardana OpenStack/Barbican documentation ** ** If you are upgrading and already have the master key defined from previous version or installation, check ** ** ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml ** ** for *barbican_customer_master_key* value, if the value does not have a prefix "@ardana@" ** ** that means it is not encrypted. It is highly recommended to encrypt this value ** * Encrypt the existing key during upgrade * setup the environment variable ARDANA_USER_PASSWORD_ENCRYPT_KEY which contain the key used to encrypt barbican master key. * Note: Before you run any playbooks, remember that you need to export the encryption key in the following environment variable. For instructions * * export ARDANA_USER_PASSWORD_ENCRYPT_KEY=<USER_ENCRYPTION_KEY> * execute * python *roles/KEYMGR-API/templates/generate_kek <barbican_customer_master_key>* * Master key is generated at stdout * Set above master key in file ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml * Replace existing *barbican_customer_master_key* value with above generated master key * Commit the change in git repository. * *cd ~/openstack/ardana/ansible/* * *ansible-playbook -i hosts/localhost ready-deployment.yml* * Once master key is set, continue with cloud deployment. ** It is not recommended to change the master key during the upgrade process ** ** Changing master key will result in read error for existing secrets as they were ** ** encrypted using previous master key. ** * Generate master key using provided python *generate_kek* script on deployer node * setup the environment variable ARDANA_USER_PASSWORD_ENCRYPT_KEY which contain the key used to encrypt barbican master key. * export ARDANA_USER_PASSWORD_ENCRYPT_KEY=<USER_ENCRYPTION_KEY> * python *roles/KEYMGR-API/templates/generate_kek* * Master key is generated at stdout from previous command * Set above master key in file ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml * Replace existing *barbican_customer_master_key* value with above generated master key * Commit the change in git repository. * *cd ~/openstack/ardana/ansible/* * *ansible-playbook -i hosts/localhost ready-deployment.yml* * Once master key is set, continue with cloud deployment. # Configurable Values There are different configurable entries for Barbican. 1. Configuration entries that are available upstream in *barbican.conf*. This has upstream defined configurable values. 2. Deployment specific configuration which are not part of *barbican.conf* like log_level, process count etc. The following section describes the mechanism used for overriding or changing those configuration entries. * To change configuration entries used by Barbican API service config i.e. barbican.conf * Edit the files *roles/KEYMGR-API/templates/barbican.conf.j2* to add or change any config settings * Make sure that you don't change any values under {{ }} in above mentioned file. * To change, configurable properties which are not part of Barbican API service config such as log level * Edit the files *roles/barbican-common/vars/barbican_deploy_config.yml* to change any config settings * Here you can only change values, can't add any new settings * For log level, replace current value with new log level e.g. * *barbican_loglevel: "DEBUG"* To make above changes effective, Barbican reconfigure playbook needs to be executed which deploys the new settings on its API nodes. * cd ~/openstack/ardana/ansible/ * ansible-playbook -i hosts/localhost ready-deployment.yml * cd ~/scratch/ansible/next/ardana/ansible * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml* ## Tested/Supported Features ### Enable or Disable Auditing * Auditing feature can be disabled or enabled by following steps. * Edit the file ~/openstack/my_cloud/definition/cloudConfig.yml * All audit related configuration is defined under `audit-settings` section. * Please note that valid yaml syntax need to be followed when specifying values. * Service name defined under `enabled-services` or `disabled-services` override the default setting (i.e. `default: enabled` or `default: disabled`) * To enable auditing, make sure that `barbican` service name is within `enabled-services` list of `audit-settings` section or is **not** present in `disabled-services` list when `default: enabled`. * To disable auditing for barbican service specifically, make sure that `barbican` service name is within `disabled-services` list of `audit-settings` section or is **not** present in `enabled-services` list when `default: disabled`. * It is incorrect to specify service name in both list. If its specified, then `enabled-services` value takes precedence. * Commit the change in git repository. * *cd ~/openstack/ardana/ansible/* * *ansible-playbook -i hosts/localhost config-processor-run.yml* * *ansible-playbook -i hosts/localhost ready-deployment.yml* * *cd ~/scratch/ansible/next/ardana/ansible* * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml* ### Enable or Disable KMIP Plugin * (Step 1) To populate or change clients certificate on Barbican nodes. * For KMIP device, SSL client certificate is needed as generally HSM devices require 2-way SSL for security reasons. * Get needed client certificate, client private key and client root CA recognized by HSM device. * These certificate information is provided to Barbican service via reconfigure playbook. * Look into KMIP certificates sample file barbican_kmip_plugin_config_sample.yml * Copy this file to a temporary directory e.g. /tmp/kmip_plugin_certs.yml * Edit the file to provide either client certificates as absolute file paths (i.e. `client_cert_file_path`, `client_key_file_path`, `client_cacert_file_path`) or pasting certificate content directly into the file (i.e. in `client_cert_content`, `client_key_content`, `client_cacert_content`). * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml -e@/tmp/kmip_plugin_certs.yml* * (Step 2) To provide or update HSM connection credential for Barbican service * In this step, KMIP plugin connection details are provided to service. * Edit the files ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml * Change the value `use_kmip_secretstore_plugin` to True to use KMIP plugin or False to use default secret store plugin (`store_crypto`). * Provide KMIP client connection credentials and KMIP server hostname and port. * Commit the change in git repository. * *cd ~/openstack/ardana/ansible/* * ansible-playbook -i hosts/localhost ready-deployment.yml * *cd ~/scratch/ansible/next/ardana/ansible* * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml* ``` Note: If preferred, actions described in step 1 can be executed without reconfigure playbook execution. And reconfigure playbook action can be executed at the end of step 2 actions. This can reduce reconfigure need in initial setup. ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml -e@/tmp/kmip_plugin_certs.yml Individual step 1 and step 2 are needed when client certificates or HSM connection information needs to be updated. ``` #### Troubleshooting KMIP Plugin Setup 1. Make sure that in Certificate Signing Request (CSR) 'Common Name' field must match the *barbican_kmip_username* value defined in *roles/barbican-common/vars/barbican_deploy_config.yml*. Otherwise you may see *Internal Server Error* in Barbican for create secret request which does not translate well into this issue. 2. Currently Barbican does not return clear related error with regards to client certificate setup and its connectivity with KMIP server. During secret create request, general *Internal Server Error* is returned when certificate is invalid or missing any of needed client certificate data (client certificate, key and CA root certificate). ### Enable or Disable PKCS11 Plugin * (Step 1) Import and install the PKCS11 library debian package. * This is a one-time setup to install pkcs11 package on barbican nodes. * Make sure you are on deployer node * If not present, Create the directory /home/stack/third-party/barbican/pkgs/debian * Populate the directory with the full set of debian packages which has HSM specific PKCS11 library * Run the 3rd-party import playbook: *cd ~/openstack/ardana/ansible/ *ansible-playbook -i hosts/localhost third-party-import.yml* *cd ~/scratch/ansible/next/ardana/ansible *ansible-playbook -i hosts/verb_hosts osconfig-run.yml* * This will import the above packages to the Ardana thirdparty repo, and ready for installation, this will ensure that /etc/apt/source.list.d entry exists for the third-party apt repo. For example You can import hppkcs11 (<eskm_pkcs11_package_version>.deb), which is PKCS11 library for ESKM (Enterprise Secure Key Manager) HSM * Once the library package is imported into third party repository you can install the library package by running barbican playbook by passing extra ansible variable `barbican_pkcs11_package_name, if the given package is not present on the controller nodes it will install the latest version from the 3rd party repository, like * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_package_name=hppkcs11"* * Or if you want to install specific version of the package, or upgrade or downgrade from the one you have on the controller nodes, you can pass the version info to the playbook, like *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_package_name=hppkcs11=0.2.1"* * Above step would install provided package on controller node in its default location. * (Step 2) To provide or update HSM connection credential for Barbican service * In this step, PKCS11 plugin connection details are provided to service. * Edit the files ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml * Change the value `use_pkcs11_crypto_plugin` to True to use PKCS11 plugin crypto setup. False is used to indicate other plugin setup usage. * Provide details for PKCS11 client connection. Details needed are * session password * expected location for vendor specific pkcs11 shared library on Barbican nodes. Provide absolute path on **controller** node. * label used for master kek * label used for hmac key * If PKCS11 provider is ESKM, then `barbican_pkcs11_provider_is_eskm` flag can be set to True and playbooks will use default paths for library and its certificate location. * Commit the change in git repository. * *cd ~/openstack/ardana/ansible/* * ansible-playbook -i hosts/localhost ready-deployment.yml * *cd ~/scratch/ansible/next/ardana/ansible* * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml* * If PKCS11 provider is ESKM, then `barbican_pkcs11_provider_is_eskm` flag can be set to True and playbooks will use default paths for library and its certificate location * (Step 3) *** Atalla ESKM Specific Setup Only *** Please note that PKCS11 provider may have some custom configuration steps and those needs to be done manually. This specific step is just provided for ESKM PKCS11 connector. In this step, ESKM KMIP server address is set or updated. * For ESKM PKCS11 connector, there is connection configuration information needed by its PKCS11 connector e.g. KMIP server address, token firmware version and various flags needed for PKCS11 session. * Customer is expected to provide KMIP server address. * Barbican playbook provides following mechanism to generate related configuration with customer provided KMIP server address. For any other customization, customer is expected to refer ESKM PKCS11 documentation and make those changes manually on controller nodes hosting Barbican service. * Edit the files ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml * Set the value for `barbican_pkcs11_eskm_kmip_host`, `barbican_pkcs11_eskm_kmip_port` * Commit the change in git repository. * *cd ~/openstack/ardana/ansible/* * ansible-playbook -i hosts/localhost ready-deployment.yml * *cd ~/scratch/ansible/next/ardana/ansible* * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_eskm_generate_conf=True"* * (Step 4) To populate or change clients certificate on Barbican nodes. * For PKCS11 device, SSL client certificate is needed as generally HSM devices require 2-way SSL for security reasons. * Get needed client certificate, client private key and client root CA recognized by HSM device. * These certificate information is provided to Barbican service via reconfigure playbook. * Look into HSM certificates sample file barbican_pkcs11_plugin_config_sample.yml * Copy this file to a temporary directory e.g. /tmp/pkcs11_plugin_certs.yml * Edit the file to provide either client certificates as absolute file paths (i.e. `client_cert_file_path`, `client_key_file_path`, `client_cacert_file_path`) or pasting certificate content directly into the file (i.e. in `client_cert_content`, `client_key_content`, `client_cacert_content`). * Edit the file ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml for pkcs11 certificate locations. * Provide expected path for client side certificates on barbican nodes. * `barbican_pkcs11_client_cert_path` - client certificate file path * `barbican_pkcs11_client_key_path` - Private key file path created via CSR generation * `barbican_pkcs11_client_cacert_path` - root CA recognized by HSM device and used for CSR signing. * Commit the change in git repository. * *cd ~/openstack/ardana/ansible/* * ansible-playbook -i hosts/localhost ready-deployment.yml * *cd ~/scratch/ansible/next/ardana/ansible* * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml -e@/tmp/pkcs11_plugin_certs.yml* * (Step 5) Generate labels for master kek and hmac key used for PKCS11 plugin. This is one-time setup which generates needed mkek and hmac labels. As a pre-requisite, Step 2, (+ Step 2b in ESKM HSM case) and Step 3 needs to be done beforehand. * *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_generate_labels=True"* ``` Note: If preferred, actions described in step 1 (except running 3rd-party import playbook), 2, 3 and 4 can be executed together. Just make sure that all PKCS11 specific variables are configured correctly in barbican_deploy_config.yml and single space is present between variables defined via 'extra-vars' option ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml \ --extra-vars "barbican_pkcs11_package_name=hppkcs11 \ barbican_pkcs11_generate_labels=True" \ -e@/tmp/pkcs11_plugin_certs.yml For ESKM, combined step is as follows (with generate conf file option). ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml \ --extra-vars "barbican_pkcs11_package_name=hppkcs11 \ barbican_pkcs11_eskm_generate_conf=True \ barbican_pkcs11_generate_labels=True" \ -e@/tmp/pkcs11_plugin_certs.yml Individual step 1, step 2, step 3 or step 4 are needed when pkc11 library, client certificates or HSM connection information needs to be updated. ``` #### Troubleshooting PKCS11 Plugin Setup 1. With ESKM device, make sure that in Certificate Signing Request (CSR) 'Common Name' field must exist in HSM as a local user. Otherwise you may see *Internal Server Error* in Barbican for create secret request which does not translate well into this issue. 07070100000022000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/defaults07070100000023000081A40000000000000000000000015E7B82F900000323000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/defaults/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- component_service_name: "{{ barbican_api_service_name }}" notification_driver_name: "log" audit_filter: "" logging_conf_file_name: api-logging.conf 07070100000024000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files07070100000025000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples07070100000026000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000005100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana07070100000027000081A40000000000000000000000015E7B82F900001872000000000000000000000000000000000000007A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/barbican_pkcs11_plugin_config_sample.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- barbican_pkcs11_plugin_conf: # Either use file path to provide client certificate details or add cert # content directly in related content variables defined below. # File paths takes precedance over cert content if both are provided. # Here file path refers to local filesystem path where ansible is # executed. client_cert_file_path: client_key_file_path: client_cacert_file_path: # Following are samples which customer needs to replace with their # own content here or via file path approach mentioned above. client_cert_content: | -----BEGIN CERTIFICATE----- MIIDvzCCAqegAwIBAgIBHTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDUwODIzMDYyNFoX DTI2MDEzMTIzMDYyNFowgZYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG A1UEBwwJU3Vubnl2YWxlMQwwCgYDVQQKDANIUEUxFzAVBgNVBAsMDkNsb3VkIFNl cnZpY2VzMR0wGwYDVQQDDBRob3M0X2JhcmJpY2FuX3BrY3MxMTEgMB4GCSqGSIb3 DQEJARYRYXJ1bi5rYW50QGhwZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCz2E6xXR+o9alGz+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirS scx3D+ziI6UbB4rOsRfX8ib5ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv 5JAiEt7rOV4dg4bKtZbV+nQiumFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2 oYPXQCPV/jV3lGrlwXn/U1nWD2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2Fhsgk IxKPOFE1hGOTcygk0ATdxdCUtHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKe UGzBoBfdl7r/gA2UxdtQe0FlnXY4zDY/AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJ YIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQDFUham8kfqkJwCGJpY QqGd4MtOxUAj+OevNkZjEdnJd7SXQFKNwCNxw231XRuk0w6otuzOv+PniwLhy2IS HowPaKtDmzncfwp01p5U/+E062bjEqlCN7N4dNoSjUuveoEwROI5Opo/wfLhKOuw InUz14Le6VyJ9PdcLZmKWpnYQRytiPcNadIwt19fxja7CBJ+bX/NSdX/b1/fMeN9 8xmOn0ruoKdfD4cx/fVmMc+cV49elRKObaIaBgSQTWvjQIx8RWVPdMbQST36SlHK 3YLCDn/97rSkOUGAz7ZGJXJGACzHsM9o1cix6y8rKco+kqGvqkBAJZoIByg0ER07 CM0u -----END CERTIFICATE----- client_key_content: | -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCz2E6xXR+o9alG z+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirSscx3D+ziI6UbB4rOsRfX8ib5 ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv5JAiEt7rOV4dg4bKtZbV+nQi umFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2oYPXQCPV/jV3lGrlwXn/U1nW D2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2FhsgkIxKPOFE1hGOTcygk0ATdxdCU tHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKeUGzBoBfdl7r/gA2UxdtQe0Fl nXY4zDY/AgMBAAECggEBAKqY2nTmiDzG4483bLQIO2lUx8ZLiDo2hXvps3NQk0LA GSh784yzFiYM4I5kfek5tMmCCwrr9Fk07AFPms0boE49RyKbbVxvnkHhhbntnItE 6PriqGcZMYieAJdB3VG2dm96r2ckf/N0g6vZrriwuuiGABj51TlSZgaJ+PLmxE4g pUYHFe4PFm9mvwVG++hFrCqMuyE/RZKmkvUoGElkEUDXFsYYV15+lAsd4FojO4pZ 2g7UkL8Q7g/Kr5WyRKfYdes4rdhd2/yIH3tXGTgclUqCDFDsKj4+C4x0BwV3ReCp SzKAbxjAeoEqJFez41uYk9gsx2MDCpcqxSvgn55krxkCgYEA2PNRBkXJtkVc/igD SOIFWKiX+0yctKBZj062RR78uXCxZ5rSpRZL1VoAs7bFZKNRsXaMhAQOH/dHBFqq v+daZHY48pZg5t7YF3pxS2TaFAXIZ870H8qnM+JLwPqldiBiapp6dEbR0Hwky0rn c2eOhWa8FzO/a18F7LFpxo0rBdUCgYEA1Dc8jnc2Z6tMis6g9i8UIkPSGcfKPjAE rSxKvX9K0L3zcoXw3b4bsoiG0ROmTAZ8QVxnxjKNZPSCv4fMOpXMnGEu6/Gi7ofk DuXhPqj2Nu3GLLBhmEOOiYz6qgU5m7Hu2D7rj/4YZQL3VK5oP2R5JUDve4zI5GXP Kp2rXBjFMcMCgYEA0mBH/rwn2Q80GOU2IjPCmXGLR03IW8NudXAPgcGFslEcRuo0 P4/6Y15OdfbTPT6+FkduBQplpAvGmutMzqCK4AZgPKUkPFx10XaTbFfUvTvKVRez VSzPrJlRekXTs1O9+7/m5OBTz0bC6zusaxVNeADifeFZSsYvWZHEj5wOzy0CgYBA Ul2wcMG0ul8A05BGDg70M8pCtiO+pZ9FPd+JgEOU8X4QgDh5fV23x1nVlTcaY/zV csShdkEVEGdw1iA4wZ6651npedwAoH+nZFXZQC0giQFAGlX6aL+TQX/YeKz1XAEg 2jFb+5A5TaTZreM7E6EEgaIUuJ9LWvBn4lJGH9vlMQKBgB9SGeF32EPSzl/M8FOF /+5k1QKKB+a0sqYhUKYrf2cAhBk67516jPRUDQAEcuXOkuZi6wb5sHrQvWCJHzVJ Ddzr5HHGX+PNRkt/tx+tnV74i0IAJJlhgqizuVtrOSaz3DEKH03d/4K9CJDPODpp esf1sUXCyOs6hvJguTFB3hvI -----END PRIVATE KEY----- client_cacert_content: | -----BEGIN CERTIFICATE----- MIIEgjCCA2qgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDIwMjIyMjAwOVoX DTI2MDEzMTIyMjAwOVowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y bmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMG QXRhbGxhMRQwEgYDVQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVz dEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0P whdtq7KTFjD5RSeb8aOR3M4su9sO4iwXHkeXgQ3lEzDK9bdT+E5d/jhjmhmVafkL S6hdvKlf5lTaQ3INZrLCERj1n+valARbdlloRmKAm1s8BaZatPATuEvGJz1tnMpF y8eUO88kQMDam17HKfeAxU+G50P7NodnjFMv/6nLpKAYBi6ERHO8rdhLoYSqDahH Tlp9xcxhFBunMMkM06w8u8htoXDfA9vW8G/EeymZj0fRVJV2E1VkdasJ7ncK20d2 9cCFy2tfJ5sZlHPy6UBGcsgzytJx/bnzniBCBCv+MZWqBTfioTZCs+ufYASh8DPG AaCJlEgN7uY2Zv3FBNsCAwEAAaOB7DCB6TAdBgNVHQ4EFgQU8JpCrRunXm9ht2Zd 90XHLMIrY0swgbkGA1UdIwSBsTCBroAU8JpCrRunXm9ht2Zd90XHLMIrY0uhgZKk gY8wgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH EwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMGQXRhbGxhMRQwEgYD VQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNv bYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASJDJCRZcIvwr0 L0GUuTf5eR4Z1i8AUvs8j2JB7xz+DOukBL7Ty9qQr1hFnq6ArNFa3c//oBwCLzlF eHr5Jz80u2MnR6xO/jBRI58j7jqednFEEkH8L5VGtbT4AZLqMwuJxLDHHpHZ5gef 3FzAeP3frE7ALLJH4LFuL95hJ1GlNf0S6axJyZ5jKIbOic6r57/BWD5Fjr0GTw1L NckGzGjtiHqAZ5kmx19PzYwpV682hd5m9np6gvIfFRIwswlLwOL00qqQ7fkJnrIM Dh9ICkgZ3SZZxxyiQ8UV/SDta2P7FVDmRdRsV4B3OI/Z5zcqgZlm+Z3F1q5WvkqU Sc8quzS0 -----END CERTIFICATE----- 07070100000028000081A40000000000000000000000015E7B82F900000657000000000000000000000000000000000000006600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/sample_pkcs11_ca.pem-----BEGIN CERTIFICATE----- MIIEgjCCA2qgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDIwMjIyMjAwOVoX DTI2MDEzMTIyMjAwOVowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y bmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMG QXRhbGxhMRQwEgYDVQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVz dEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0P whdtq7KTFjD5RSeb8aOR3M4su9sO4iwXHkeXgQ3lEzDK9bdT+E5d/jhjmhmVafkL S6hdvKlf5lTaQ3INZrLCERj1n+valARbdlloRmKAm1s8BaZatPATuEvGJz1tnMpF y8eUO88kQMDam17HKfeAxU+G50P7NodnjFMv/6nLpKAYBi6ERHO8rdhLoYSqDahH Tlp9xcxhFBunMMkM06w8u8htoXDfA9vW8G/EeymZj0fRVJV2E1VkdasJ7ncK20d2 9cCFy2tfJ5sZlHPy6UBGcsgzytJx/bnzniBCBCv+MZWqBTfioTZCs+ufYASh8DPG AaCJlEgN7uY2Zv3FBNsCAwEAAaOB7DCB6TAdBgNVHQ4EFgQU8JpCrRunXm9ht2Zd 90XHLMIrY0swgbkGA1UdIwSBsTCBroAU8JpCrRunXm9ht2Zd90XHLMIrY0uhgZKk gY8wgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH EwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMGQXRhbGxhMRQwEgYD VQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNv bYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASJDJCRZcIvwr0 L0GUuTf5eR4Z1i8AUvs8j2JB7xz+DOukBL7Ty9qQr1hFnq6ArNFa3c//oBwCLzlF eHr5Jz80u2MnR6xO/jBRI58j7jqednFEEkH8L5VGtbT4AZLqMwuJxLDHHpHZ5gef 3FzAeP3frE7ALLJH4LFuL95hJ1GlNf0S6axJyZ5jKIbOic6r57/BWD5Fjr0GTw1L NckGzGjtiHqAZ5kmx19PzYwpV682hd5m9np6gvIfFRIwswlLwOL00qqQ7fkJnrIM Dh9ICkgZ3SZZxxyiQ8UV/SDta2P7FVDmRdRsV4B3OI/Z5zcqgZlm+Z3F1q5WvkqU Sc8quzS0 -----END CERTIFICATE----- 07070100000029000081A40000000000000000000000015E7B82F90000054F000000000000000000000000000000000000006A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/sample_pkcs11_client.pem-----BEGIN CERTIFICATE----- MIIDvzCCAqegAwIBAgIBHTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDUwODIzMDYyNFoX DTI2MDEzMTIzMDYyNFowgZYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG A1UEBwwJU3Vubnl2YWxlMQwwCgYDVQQKDANIUEUxFzAVBgNVBAsMDkNsb3VkIFNl cnZpY2VzMR0wGwYDVQQDDBRob3M0X2JhcmJpY2FuX3BrY3MxMTEgMB4GCSqGSIb3 DQEJARYRYXJ1bi5rYW50QGhwZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCz2E6xXR+o9alGz+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirS scx3D+ziI6UbB4rOsRfX8ib5ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv 5JAiEt7rOV4dg4bKtZbV+nQiumFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2 oYPXQCPV/jV3lGrlwXn/U1nWD2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2Fhsgk IxKPOFE1hGOTcygk0ATdxdCUtHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKe UGzBoBfdl7r/gA2UxdtQe0FlnXY4zDY/AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJ YIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQDFUham8kfqkJwCGJpY QqGd4MtOxUAj+OevNkZjEdnJd7SXQFKNwCNxw231XRuk0w6otuzOv+PniwLhy2IS HowPaKtDmzncfwp01p5U/+E062bjEqlCN7N4dNoSjUuveoEwROI5Opo/wfLhKOuw InUz14Le6VyJ9PdcLZmKWpnYQRytiPcNadIwt19fxja7CBJ+bX/NSdX/b1/fMeN9 8xmOn0ruoKdfD4cx/fVmMc+cV49elRKObaIaBgSQTWvjQIx8RWVPdMbQST36SlHK 3YLCDn/97rSkOUGAz7ZGJXJGACzHsM9o1cix6y8rKco+kqGvqkBAJZoIByg0ER07 CM0u -----END CERTIFICATE----- 0707010000002A000081A40000000000000000000000015E7B82F9000006A8000000000000000000000000000000000000007500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/sample_pkcs11_client_privateKey.pem-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCz2E6xXR+o9alG z+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirSscx3D+ziI6UbB4rOsRfX8ib5 ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv5JAiEt7rOV4dg4bKtZbV+nQi umFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2oYPXQCPV/jV3lGrlwXn/U1nW D2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2FhsgkIxKPOFE1hGOTcygk0ATdxdCU tHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKeUGzBoBfdl7r/gA2UxdtQe0Fl nXY4zDY/AgMBAAECggEBAKqY2nTmiDzG4483bLQIO2lUx8ZLiDo2hXvps3NQk0LA GSh784yzFiYM4I5kfek5tMmCCwrr9Fk07AFPms0boE49RyKbbVxvnkHhhbntnItE 6PriqGcZMYieAJdB3VG2dm96r2ckf/N0g6vZrriwuuiGABj51TlSZgaJ+PLmxE4g pUYHFe4PFm9mvwVG++hFrCqMuyE/RZKmkvUoGElkEUDXFsYYV15+lAsd4FojO4pZ 2g7UkL8Q7g/Kr5WyRKfYdes4rdhd2/yIH3tXGTgclUqCDFDsKj4+C4x0BwV3ReCp SzKAbxjAeoEqJFez41uYk9gsx2MDCpcqxSvgn55krxkCgYEA2PNRBkXJtkVc/igD SOIFWKiX+0yctKBZj062RR78uXCxZ5rSpRZL1VoAs7bFZKNRsXaMhAQOH/dHBFqq v+daZHY48pZg5t7YF3pxS2TaFAXIZ870H8qnM+JLwPqldiBiapp6dEbR0Hwky0rn c2eOhWa8FzO/a18F7LFpxo0rBdUCgYEA1Dc8jnc2Z6tMis6g9i8UIkPSGcfKPjAE rSxKvX9K0L3zcoXw3b4bsoiG0ROmTAZ8QVxnxjKNZPSCv4fMOpXMnGEu6/Gi7ofk DuXhPqj2Nu3GLLBhmEOOiYz6qgU5m7Hu2D7rj/4YZQL3VK5oP2R5JUDve4zI5GXP Kp2rXBjFMcMCgYEA0mBH/rwn2Q80GOU2IjPCmXGLR03IW8NudXAPgcGFslEcRuo0 P4/6Y15OdfbTPT6+FkduBQplpAvGmutMzqCK4AZgPKUkPFx10XaTbFfUvTvKVRez VSzPrJlRekXTs1O9+7/m5OBTz0bC6zusaxVNeADifeFZSsYvWZHEj5wOzy0CgYBA Ul2wcMG0ul8A05BGDg70M8pCtiO+pZ9FPd+JgEOU8X4QgDh5fV23x1nVlTcaY/zV csShdkEVEGdw1iA4wZ6651npedwAoH+nZFXZQC0giQFAGlX6aL+TQX/YeKz1XAEg 2jFb+5A5TaTZreM7E6EEgaIUuJ9LWvBn4lJGH9vlMQKBgB9SGeF32EPSzl/M8FOF /+5k1QKKB+a0sqYhUKYrf2cAhBk67516jPRUDQAEcuXOkuZi6wb5sHrQvWCJHzVJ Ddzr5HHGX+PNRkt/tx+tnV74i0IAJJlhgqizuVtrOSaz3DEKH03d/4K9CJDPODpp esf1sUXCyOs6hvJguTFB3hvI -----END PRIVATE KEY----- 0707010000002B000081A40000000000000000000000015E7B82F900001886000000000000000000000000000000000000007100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/barbican_kmip_plugin_config_sample.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- barbican_kmip_plugin_conf: # Either use file path to provide client certificate details or add cert # content directly in related content variables defined below. # File paths takes precedance over cert content if both are provided. # Here file path refers to local filesystem path where ansible is # executed. client_cert_file_path: client_key_file_path: client_cacert_file_path: # Following are samples which customer needs to replace with their # own content here or via file path approach mentioned above. client_cert_content: | -----BEGIN CERTIFICATE----- MIID0jCCArqgAwIBAgICAKQwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT MQswCQYDVQQIEwJDTzEUMBIGA1UEBxMLRnQuIENvbGxpbnMxGDAWBgNVBAoTD0hl d2xldHQgUGFja2FyZDEMMAoGA1UECxMDQ1RMMRYwFAYDVQQDFA1LTUlQX0xvY2Fs X0NBMSIwIAYJKoZIhvcNAQkBFhNkYW4uYXNoYmF1Z2hAaHAuY29tMB4XDTE1MDkx NjA3MjIyMVoXDTI0MDEyNTA3MjIyMVowgaAxCzAJBgNVBAYTAlVTMQswCQYDVQQI DAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMSMwIQYDVQQKDBpIZXdsZXR0IFBhY2th cmQgRW50ZXJwcmlzZTESMBAGA1UECwwJSFBFIENsb3VkMRUwEwYDVQQDDAxobG1f YmFyYmljYW4xIDAeBgkqhkiG9w0BCQEWEWFydW4ua2FudEBocGUuY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjYVZzdsSMsk520UD1E94jl0/AZG LlsAB152dEP5E9C3mXzQZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJH R9xnhwdK3RLeRbU3dfW838++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ff s8chvPpBH9N3nU/p5+f7bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzL Hdaf83ZknyKREb7CETDmxBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd 7KI1MJSisLYwINLaqtpEeZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQAB oyAwHjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDANBgkqhkiG9w0BAQsF AAOCAQEArRJa3dypsHD7JYxvT9nlB0FzRAmLrdfMaC8UD4UxHDfBZK1QDEc6IOyA 0jpAmHTt7MoJN7f3MzX1M4Iu5tyUHNq1KWjtwHwEX7FrTm6G7ZOxhPiPim4BClFd FLoX/jlWyjzl5tjj10+26x5IuUtC+U5JUzEBY3j/q+lAO+Og2MTiJVnWm03ilsXt biRskNJZVtvbU71lF27Oy5rpPwhTcJ4EgRsMp7GmnlYdaT4/yRFLIBpWrtB3kooG Gyr8ICB8HJSWpM340f/YGIeLkoXGAWyqrxykH+fMnyCs7ctjH5B24u4y5En4q3gW L7x0qB6Zaf3IBkOZqf5bMfAQoKfxww== -----END CERTIFICATE----- client_key_content: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArjYVZzdsSMsk520UD1E94jl0/AZGLlsAB152dEP5E9C3mXzQ ZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJHR9xnhwdK3RLeRbU3dfW8 38++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ffs8chvPpBH9N3nU/p5+f7 bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzLHdaf83ZknyKREb7CETDm xBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd7KI1MJSisLYwINLaqtpE eZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQABAoIBAA2CUCKS36i9Z/0y Li4J5LyYLAQnEGYj1Fq97n2Rj80DkFksnpRhRkfS1Pz0Gnowi/6vLFetzC+IvLHE dXtH9j6iSVNaH2DpLHYCEMIX5niNVuGkzqKkX28nsDanGgKiGskRtEXOLdI0g6bn AiYlsHKssom8NLKiLHGVDlvDcDEYkpA2WXXFvfUtI3Twu6o/T/Pf3ytcTPpa8yvG K2eR+Wr6HJ6Wc7rELaNFSqcDWRqRPG8bI5bUucDOxmOZac6j5ZsrpVgnZDHO78NX bnrHwXzS1Hm8oT6tFQTUbzjSJb7EbgS8JXdW4zWTd3zDdkq7rX2CNSGfzAz3wSl2 KkKSfqkCgYEA02MnqDmsUDkm6lYVva+WomMgyZvfOYDhca10tP5rBAXaZGP764tn PhD5KTyvOZrgBhLbsGZZVlQEwg8EKiS9vAj/POZqIs2wdH6nAni1FTRCQ2gScty0 IgS9iIYbO31FNbfGxqNDSbLDQGpzZ8U+b12YjhhCS45e/Twvm3AeyiMCgYEA0vpg 7vMmMgvOFDtbbOKUcLu1NgViO8B7N5idf6+Y/QYlydVXtujH0Yp9VisKDew5W1vy 8sQTAibJSY+OpchTT4LSNf6dGmIAWQIJeIjlkAvMoCNqeHiw77ZlWvwXc4jydAc3 pl0cIdaupeLQo+WeSthXe1JPuOv76xVZXeC4R/MCgYBdQTENlePewFfaqX+N3xil KvYb+xfPVnwemlcSQesUK0DdaP6KO0Wgq/w/pPXog9qw00D34S8oVoiC0/0SWoMZ oR54z22jTPq7aeRjwrygTh2tfwwkgBk3qL+0qvT4mZsex6R5nSziJmrc0Bl5fhq9 Jp1Wkn0st/JP5W1bNWtf4QKBgEqt8e3jB5wjbZjfweby9RRKfURX94OrCHKPhQCT iZXWvT2KVPgbwc88NE1yAqcW/N6H16FzIj9at1lghV/NXx//8KTIMZgLJJBdFjki TBAG/TGaF6/5GLhhWdMw9KQiz5+ehmZPAww/T6bMeInrV3KqzZyLcEjGz29RKUb/ qntdAoGBANMBU9yDbQgvDSCor24DJ/gnXRPuF3W7VlnzCbu8twRK9JZJplD+jS58 98DmYxBio8+wQWQdiAPRRthtnvhSWL67oYACPwvWUJJ+D18HfpWCEgCmBU3a8ZHc AaW8rRXtMZzuujGgAbA1hpf5z1lHuiG/X7/XMDVGiRALMyBbHV57 -----END RSA PRIVATE KEY----- client_cacert_content: | -----BEGIN CERTIFICATE----- MIIEmjCCA4KgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3 bGV0dCBQYWNrYXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxf Q0ExIjAgBgkqhkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wHhcNMTQwMTI2 MTcwOTU4WhcNMjQwMTI1MTcwOTU4WjCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT AkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3bGV0dCBQYWNr YXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxfQ0ExIjAgBgkq hkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDvEv7rJQRKYddVZePjqVlEJDFq4UVfV7CUXaTs/fxQcRhF BJ2cof90EhcbSeA/YFolIJjQLwKzg53zNryCIW4TKqS5Y6nvALxI3Y3tak2Vp9Gy PXOfn4Bz0Z2o0E1u4tXvXtuAFBGs760vC6u5KbAgy/xjeO6kpVZCK5KGH7hJ4sBC J8b6UOir9m4lAg4K9Yia57uyJkt9LBDWhclv5DOF8LLvLjDca9eXocbDoulUhs94 QugbUB0GYEdLPtMYwZiIwvNsuIdn8NIAzW/SJ2AnnYZZqo9CHALdxJg0MCHpOKKA u8nDcZHAUJOkKUQgNtkFq2gx0N8uCJWqzkEQIaXlAgMBAAGjgfQwgfEwHQYDVR0O BBYEFPZqSMXT2ooyVvXZ01Fxe3OvPhafMIHBBgNVHSMEgbkwgbaAFPZqSMXT2ooy VvXZ01Fxe3OvPhafoYGapIGXMIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08x FDASBgNVBAcTC0Z0LiBDb2xsaW5zMRgwFgYDVQQKEw9IZXdsZXR0IFBhY2thcmQx DDAKBgNVBAsTA0NUTDEWMBQGA1UEAxQNS01JUF9Mb2NhbF9DQTEiMCAGCSqGSIb3 DQEJARYTZGFuLmFzaGJhdWdoQGhwLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG SIb3DQEBCwUAA4IBAQDOqlaGPXwq186iCXeI9QN9aVW+IZUXiBFdeXYd0F6My/vq pop7/R+4IbS3cBUo5hYkEVo6hk9IeKYCHrD7e1QbWfgCfRijhudwmCj80bQcAb+D Mu4N4SltOrhMTOl4VSjwdZyRJHSqf4FrgXAqGCfASKOGSyOXfr9qBSn/iqmRaUYm fFgsCh6/co2fozkRfgdsdR0MBp1FpV/dMXJqHHLSZB/P126GuYProQmbY0K1uQGU FAimEB/a2E+A0oxwuHmhMg0kOpDuXIWn4BW+Z6z5h1j3PFyg/CZ548Fz0XOgvXC7 Ejpkd+5R+24HloruUV1R2EYvmlr8UMFX80og11u+ -----END CERTIFICATE----- 0707010000002C000081A40000000000000000000000015E7B82F900000677000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/sample_kmip_ca.crt-----BEGIN CERTIFICATE----- MIIEmjCCA4KgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3 bGV0dCBQYWNrYXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxf Q0ExIjAgBgkqhkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wHhcNMTQwMTI2 MTcwOTU4WhcNMjQwMTI1MTcwOTU4WjCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT AkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3bGV0dCBQYWNr YXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxfQ0ExIjAgBgkq hkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDvEv7rJQRKYddVZePjqVlEJDFq4UVfV7CUXaTs/fxQcRhF BJ2cof90EhcbSeA/YFolIJjQLwKzg53zNryCIW4TKqS5Y6nvALxI3Y3tak2Vp9Gy PXOfn4Bz0Z2o0E1u4tXvXtuAFBGs760vC6u5KbAgy/xjeO6kpVZCK5KGH7hJ4sBC J8b6UOir9m4lAg4K9Yia57uyJkt9LBDWhclv5DOF8LLvLjDca9eXocbDoulUhs94 QugbUB0GYEdLPtMYwZiIwvNsuIdn8NIAzW/SJ2AnnYZZqo9CHALdxJg0MCHpOKKA u8nDcZHAUJOkKUQgNtkFq2gx0N8uCJWqzkEQIaXlAgMBAAGjgfQwgfEwHQYDVR0O BBYEFPZqSMXT2ooyVvXZ01Fxe3OvPhafMIHBBgNVHSMEgbkwgbaAFPZqSMXT2ooy VvXZ01Fxe3OvPhafoYGapIGXMIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08x FDASBgNVBAcTC0Z0LiBDb2xsaW5zMRgwFgYDVQQKEw9IZXdsZXR0IFBhY2thcmQx DDAKBgNVBAsTA0NUTDEWMBQGA1UEAxQNS01JUF9Mb2NhbF9DQTEiMCAGCSqGSIb3 DQEJARYTZGFuLmFzaGJhdWdoQGhwLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG SIb3DQEBCwUAA4IBAQDOqlaGPXwq186iCXeI9QN9aVW+IZUXiBFdeXYd0F6My/vq pop7/R+4IbS3cBUo5hYkEVo6hk9IeKYCHrD7e1QbWfgCfRijhudwmCj80bQcAb+D Mu4N4SltOrhMTOl4VSjwdZyRJHSqf4FrgXAqGCfASKOGSyOXfr9qBSn/iqmRaUYm fFgsCh6/co2fozkRfgdsdR0MBp1FpV/dMXJqHHLSZB/P126GuYProQmbY0K1uQGU FAimEB/a2E+A0oxwuHmhMg0kOpDuXIWn4BW+Z6z5h1j3PFyg/CZ548Fz0XOgvXC7 Ejpkd+5R+24HloruUV1R2EYvmlr8UMFX80og11u+ -----END CERTIFICATE----- 0707010000002D000081A40000000000000000000000015E7B82F90000056A000000000000000000000000000000000000006100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/sample_kmip_client.crt-----BEGIN CERTIFICATE----- MIID0jCCArqgAwIBAgICAKQwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT MQswCQYDVQQIEwJDTzEUMBIGA1UEBxMLRnQuIENvbGxpbnMxGDAWBgNVBAoTD0hl d2xldHQgUGFja2FyZDEMMAoGA1UECxMDQ1RMMRYwFAYDVQQDFA1LTUlQX0xvY2Fs X0NBMSIwIAYJKoZIhvcNAQkBFhNkYW4uYXNoYmF1Z2hAaHAuY29tMB4XDTE1MDkx NjA3MjIyMVoXDTI0MDEyNTA3MjIyMVowgaAxCzAJBgNVBAYTAlVTMQswCQYDVQQI DAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMSMwIQYDVQQKDBpIZXdsZXR0IFBhY2th cmQgRW50ZXJwcmlzZTESMBAGA1UECwwJSFBFIENsb3VkMRUwEwYDVQQDDAxobG1f YmFyYmljYW4xIDAeBgkqhkiG9w0BCQEWEWFydW4ua2FudEBocGUuY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjYVZzdsSMsk520UD1E94jl0/AZG LlsAB152dEP5E9C3mXzQZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJH R9xnhwdK3RLeRbU3dfW838++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ff s8chvPpBH9N3nU/p5+f7bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzL Hdaf83ZknyKREb7CETDmxBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd 7KI1MJSisLYwINLaqtpEeZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQAB oyAwHjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDANBgkqhkiG9w0BAQsF AAOCAQEArRJa3dypsHD7JYxvT9nlB0FzRAmLrdfMaC8UD4UxHDfBZK1QDEc6IOyA 0jpAmHTt7MoJN7f3MzX1M4Iu5tyUHNq1KWjtwHwEX7FrTm6G7ZOxhPiPim4BClFd FLoX/jlWyjzl5tjj10+26x5IuUtC+U5JUzEBY3j/q+lAO+Og2MTiJVnWm03ilsXt biRskNJZVtvbU71lF27Oy5rpPwhTcJ4EgRsMp7GmnlYdaT4/yRFLIBpWrtB3kooG Gyr8ICB8HJSWpM340f/YGIeLkoXGAWyqrxykH+fMnyCs7ctjH5B24u4y5En4q3gW L7x0qB6Zaf3IBkOZqf5bMfAQoKfxww== -----END CERTIFICATE-----0707010000002E000081A40000000000000000000000015E7B82F90000068B000000000000000000000000000000000000006100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/sample_kmip_client.key-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArjYVZzdsSMsk520UD1E94jl0/AZGLlsAB152dEP5E9C3mXzQ ZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJHR9xnhwdK3RLeRbU3dfW8 38++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ffs8chvPpBH9N3nU/p5+f7 bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzLHdaf83ZknyKREb7CETDm xBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd7KI1MJSisLYwINLaqtpE eZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQABAoIBAA2CUCKS36i9Z/0y Li4J5LyYLAQnEGYj1Fq97n2Rj80DkFksnpRhRkfS1Pz0Gnowi/6vLFetzC+IvLHE dXtH9j6iSVNaH2DpLHYCEMIX5niNVuGkzqKkX28nsDanGgKiGskRtEXOLdI0g6bn AiYlsHKssom8NLKiLHGVDlvDcDEYkpA2WXXFvfUtI3Twu6o/T/Pf3ytcTPpa8yvG K2eR+Wr6HJ6Wc7rELaNFSqcDWRqRPG8bI5bUucDOxmOZac6j5ZsrpVgnZDHO78NX bnrHwXzS1Hm8oT6tFQTUbzjSJb7EbgS8JXdW4zWTd3zDdkq7rX2CNSGfzAz3wSl2 KkKSfqkCgYEA02MnqDmsUDkm6lYVva+WomMgyZvfOYDhca10tP5rBAXaZGP764tn PhD5KTyvOZrgBhLbsGZZVlQEwg8EKiS9vAj/POZqIs2wdH6nAni1FTRCQ2gScty0 IgS9iIYbO31FNbfGxqNDSbLDQGpzZ8U+b12YjhhCS45e/Twvm3AeyiMCgYEA0vpg 7vMmMgvOFDtbbOKUcLu1NgViO8B7N5idf6+Y/QYlydVXtujH0Yp9VisKDew5W1vy 8sQTAibJSY+OpchTT4LSNf6dGmIAWQIJeIjlkAvMoCNqeHiw77ZlWvwXc4jydAc3 pl0cIdaupeLQo+WeSthXe1JPuOv76xVZXeC4R/MCgYBdQTENlePewFfaqX+N3xil KvYb+xfPVnwemlcSQesUK0DdaP6KO0Wgq/w/pPXog9qw00D34S8oVoiC0/0SWoMZ oR54z22jTPq7aeRjwrygTh2tfwwkgBk3qL+0qvT4mZsex6R5nSziJmrc0Bl5fhq9 Jp1Wkn0st/JP5W1bNWtf4QKBgEqt8e3jB5wjbZjfweby9RRKfURX94OrCHKPhQCT iZXWvT2KVPgbwc88NE1yAqcW/N6H16FzIj9at1lghV/NXx//8KTIMZgLJJBdFjki TBAG/TGaF6/5GLhhWdMw9KQiz5+ehmZPAww/T6bMeInrV3KqzZyLcEjGz29RKUb/ qntdAoGBANMBU9yDbQgvDSCor24DJ/gnXRPuF3W7VlnzCbu8twRK9JZJplD+jS58 98DmYxBio8+wQWQdiAPRRthtnvhSWL67oYACPwvWUJJ+D18HfpWCEgCmBU3a8ZHc AaW8rRXtMZzuujGgAbA1hpf5z1lHuiG/X7/XMDVGiRALMyBbHV57 -----END RSA PRIVATE KEY----- 0707010000002F000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/handlers07070100000030000081A40000000000000000000000015E7B82F900000371000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/handlers/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Handlers for Barbican - name: restart barbican service: name: barbican state: restarted sleep: 20 # Handlers for Babrican API - name: barbican_api_config_change set_fact: barbican_api_restart_required: True 07070100000031000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/meta07070100000032000081A40000000000000000000000015E7B82F9000002C3000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/meta/main.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: barbican-common - role: FND-AP2 07070100000033000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks07070100000034000081A40000000000000000000000015E7B82F900000846000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_auditing.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | _configure_auditing | echo barbican auditing enable flag debug: msg: "barbican_api_audit_enable = {{ barbican_api_audit_enable }}" tags: - barbican - barbican_debug when: barbican_debug is defined - name: KEYMGR-API | _configure_auditing | Set notification_driver, audit_filter facts when audit enabled set_fact: audit_filter: "audit" notification_driver_name: "log" when: barbican_api_audit_enable | bool tags: - barbican - name: KEYMGR-API | _configure_auditing | Set notification_driver, audit_filter facts when audit disabled set_fact: audit_filter: "" notification_driver_name: "noop" when: barbican_api_audit_enable | bool == False tags: - barbican - name: KEYMGR-API | _configure_auditing | Create auditing logging directory if not there file: path: "{{ barbican_audit_log_base_location }}/barbican" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: 0755 state: directory become: yes when: barbican_api_audit_enable | bool tags: - barbican - name: KEYMGR-API | _configure_auditing | Touch the audit log file file: path: "{{ item }}" owner: "{{ barbican_user }}" group: "{{ barbican_centralized_log_group }}" mode: 0640 state: touch become: yes with_items: - "{{ barbican_audit_log_base_location }}/barbican/barbican-audit.log" when: barbican_api_audit_enable | bool tags: - barbican 07070100000035000081A40000000000000000000000015E7B82F9000002D0000000000000000000000000000000000000006400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_deployment_options.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # We are adding here once again to enable reconfiguration of process counts 07070100000036000081A40000000000000000000000015E7B82F90000061B000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_kmip_plugin.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | _configure_kmip_plugin | barbican use kmip plugin flag value debug: msg: "use_kmip_secretstore_plugin = {{ use_kmip_secretstore_plugin }}" when: barbican_debug is defined tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin | Configure secretstore to kmip plugin if enabled set_fact: barbican_secretstore_plugins: "kmip_plugin" barbican_enabled_crypto_plugins: "simple_crypto" when: use_kmip_secretstore_plugin tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin | Configure secretstore to store crypto if kmip plugin not enabled set_fact: barbican_kmip_username: barbican_kmip_password: barbican_kmip_host: barbican_kmip_port: barbican_kmip_client_key_path: barbican_kmip_client_cert_path: barbican_kmip_client_cacert_path: when: use_kmip_secretstore_plugin | bool == False tags: - barbican 07070100000037000081A40000000000000000000000015E7B82F900000F67000000000000000000000000000000000000006300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_kmip_plugin_certs.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Used primarily to pass kmip client cert certs from ansible control machine # to nodes running barbican service. - name: KEYMGR-API | _configure_kmip_plugin_certs | Display variables related to KMIP plugin settings debug: var: barbican_kmip_plugin_conf.client_cert_content when: barbican_debug is defined tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin_certs | Identify client cert content from file if set set_fact: kmip_client_cert_content: "{{ lookup('file', barbican_kmip_plugin_conf.client_cert_file_path) }}" when: barbican_kmip_plugin_conf.client_cert_file_path is defined and barbican_kmip_plugin_conf.client_cert_file_path and barbican_kmip_plugin_conf.client_cert_file_path | trim != '' tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin_certs | Read client cert content from variable when file content not provided set_fact: kmip_client_cert_content: "{{ barbican_kmip_plugin_conf.client_cert_content }}" when: kmip_client_cert_content is not defined tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin_certs | Identify client key content from file if set set_fact: kmip_client_key_content: "{{ lookup('file', barbican_kmip_plugin_conf.client_key_file_path) }}" when: barbican_kmip_plugin_conf.client_key_file_path is defined and barbican_kmip_plugin_conf.client_key_file_path and barbican_kmip_plugin_conf.client_key_file_path | trim != '' tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin_certs | Read client key content from variable when file content not provided set_fact: kmip_client_key_content: "{{ barbican_kmip_plugin_conf.client_key_content }}" when: kmip_client_key_content is not defined tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin_certs | Identify client cacert content from file if set set_fact: kmip_client_cacert_content: "{{ lookup('file', barbican_kmip_plugin_conf.client_cacert_file_path) }}" when: barbican_kmip_plugin_conf.client_cacert_file_path is defined and barbican_kmip_plugin_conf.client_cacert_file_path and barbican_kmip_plugin_conf.client_cacert_file_path | trim != '' tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin_certs | Read client cacert content from variable when file content not provided set_fact: kmip_client_cacert_content: "{{ barbican_kmip_plugin_conf.client_cacert_content }}" when: kmip_client_cacert_content is not defined tags: - barbican - name: KEYMGR-API | _configure_kmip_plugin_certs | Copy KMIP client certs file copy: content: "{{ item.content }}" dest: "{{ item.dest }}" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: 0400 become: yes become_user: "{{ barbican_user }}" with_items: - { content: "{{ kmip_client_cert_content }}", dest: "{{ barbican_kmip_client_cert_path }}" } - { content: "{{ kmip_client_key_content }}", dest: "{{ barbican_kmip_client_key_path }}" } - { content: "{{ kmip_client_cacert_content }}", dest: "{{ barbican_kmip_client_cacert_path }}"} no_log: True register: ardana_notify_barbican_api_restart_required tags: - barbican 07070100000038000081A40000000000000000000000015E7B82F9000005FA000000000000000000000000000000000000005C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_master_key.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | _configure_master_key | Use default master key if not yet initialized set_fact: barbican_simple_crypto_master_key: "{{ barbican_default_master_key }}" when: barbican_secretstore_plugins == "store_crypto" and (barbican_simple_crypto_master_key == "None" or not barbican_simple_crypto_master_key) tags: - barbican - name: KEYMGR-API | _configure_master_key | Set barbican_simple_crypto_master_key to None if KMIP is Configured set_fact: barbican_simple_crypto_master_key: "None" when: use_kmip_secretstore_plugin - name: KEYMGR-API | _configure_master_key | Print existing master key values debug: msg: "barbican_simple_crypto_master_key = {{ barbican_simple_crypto_master_key }}, barbican_customer_master_key: {{ barbican_customer_master_key }}" when: barbican_debug is defined tags: - barbican 07070100000039000081A40000000000000000000000015E7B82F900001ABA000000000000000000000000000000000000005F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_pkcs11_plugin.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | _configure_pkcs11_plugin | barbican use pkcs11 plugin flag value debug: msg: "use_pkcs11_crypto_plugin = {{ use_pkcs11_crypto_plugin }}" when: barbican_debug is defined tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Configure secretstore to pkcs11 plugin if enabled set_fact: barbican_secretstore_plugins: "store_crypto" barbican_enabled_crypto_plugins: "p11_crypto" when: use_pkcs11_crypto_plugin tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Configure pkcs11 settings to default if pkc11 plugin not enabled set_fact: barbican_pkcs11_session_password: barbican_pkcs11_mkek_label: barbican_pkcs11_hmac_label: barbican_pkcs11_library_path: when: use_pkcs11_crypto_plugin | bool == False tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Set library path on controller when ESKM pkcs11 connector flag is set set_fact: barbican_pkcs11_library_path: "{{ barbican_pkcs11_eskm_connector_library_path }}" when: barbican_pkcs11_provider_is_eskm | is_bool_true and barbican_pkcs11_library_path | is_str_set == False tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Install pkcs11 debian package on controller from third party repo apt: name: "{{ barbican_pkcs11_package_name }}" state: "present" force: yes become: yes when: barbican_pkcs11_package_name | is_str_set register: ardana_notify_barbican_api_restart_required tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Read stat for ESKM connector base path on controller stat: path: "{{ barbican_pkcs11_eskm_connector_base_path }}" become: yes when: barbican_pkcs11_eskm_generate_conf | is_bool_true register: barbican_pkcs11_eskm_connector_base_path_result tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Check stat for ESKM connector base path on controller fail: msg: "Missing ESKM pkcs11 connector at path '{{ barbican_pkcs11_eskm_connector_base_path }}'" when: barbican_pkcs11_eskm_connector_base_path_result is defined and barbican_pkcs11_eskm_connector_base_path_result.stat.exists == False tags: - barbican - include: _configure_pkcs11_plugin_certs.yml when: barbican_pkcs11_plugin_conf is defined - name: KEYMGR-API | _configure_pkcs11_plugin | Generate ESKM PKCS11 connector conf file shell: > {{ barbican_pkcs11_eskm_connector_base_path }}/bin/controlencryption --setserver={{ barbican_pkcs11_eskm_kmip_host }} --port={{ barbican_pkcs11_eskm_kmip_port }} args: chdir: "{{ barbican_pkcs11_eskm_connector_base_path }}/bin" executable: /bin/bash become: yes when: barbican_pkcs11_eskm_generate_conf | is_bool_true and barbican_pkcs11_eskm_kmip_host | is_str_set and barbican_pkcs11_eskm_kmip_port | is_str_set register: eskm_pkcs11_generate_conf_result tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Result for PKCS11 connector conf generation debug: msg: "eskm_pkcs11_generate_conf_result = {{ eskm_pkcs11_generate_conf_result }}" when: eskm_pkcs11_generate_conf_result is defined tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Update pkcs11 conf values in generated config.conf file lineinfile: dest: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/config.conf" regexp: "{{ item.regexp }}" line: "{{ item.value }}" state: "present" become: yes with_items: - { regexp: "^sessionObjectCleanup=true", value: "sessionObjectCleanup=false" } - { regexp: "^requireSignVerify=true", value: "requireSignVerify=false" } when: eskm_pkcs11_generate_conf_result | success # In generate label ignore error case when provided mkek label already exists # to keep generation behavior idempotent - name: KEYMGR-API | _configure_pkcs11_plugin | Generate pkcs11 mkek label command: > {{ barbican_bin_dir }}/barbican-manage hsm gen_mkek --library-path {{ barbican_pkcs11_library_path }} --passphrase {{ barbican_pkcs11_session_password }} --slot-id {{ barbican_pkcs11_slot_id }} --label '{{ barbican_pkcs11_mkek_label }}' become: yes when: barbican_pkcs11_generate_labels | is_bool_true and barbican_pkcs11_library_path | is_str_set and barbican_pkcs11_session_password | is_str_set and barbican_pkcs11_mkek_label | is_str_set register: pkcs11_generate_mkek_label_result failed_when: (pkcs11_generate_mkek_label_result | failed and 'already exists' not in pkcs11_generate_mkek_label_result.stdout) run_once: True tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Result for PKCS11 mkek label generation debug: msg: "pkcs11_generate_mkek_label_result = {{ pkcs11_generate_mkek_label_result }}" when: pkcs11_generate_mkek_label_result is defined tags: - barbican # In generate label ignore error case when provided hmac label already exists # to keep generation behavior idempotent - name: KEYMGR-API | _configure_pkcs11_plugin | Generate pkcs11 hmac label command: > {{ barbican_bin_dir }}/barbican-manage hsm gen_hmac --library-path {{ barbican_pkcs11_library_path }} --passphrase {{ barbican_pkcs11_session_password }} --slot-id {{ barbican_pkcs11_slot_id }} --label '{{ barbican_pkcs11_hmac_label }}' become: yes when: barbican_pkcs11_generate_labels | is_bool_true and barbican_pkcs11_library_path | is_str_set and barbican_pkcs11_session_password | is_str_set and barbican_pkcs11_hmac_label | is_str_set register: pkcs11_generate_hmac_label_result failed_when: (pkcs11_generate_hmac_label_result | failed and 'already exists' not in pkcs11_generate_hmac_label_result.stdout) run_once: True tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin | Result for PKCS11 hmac label generation debug: msg: "pkcs11_generate_hmac_label_result = {{ pkcs11_generate_hmac_label_result }}" when: pkcs11_generate_hmac_label_result is defined tags: - barbican 0707010000003A000081A40000000000000000000000015E7B82F9000010E3000000000000000000000000000000000000006500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_pkcs11_plugin_certs.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Used primarily to pass pkcs11 client certificates from ansible control # machine to nodes running barbican service. - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Display variables related to PKCS11 plugin settings debug: var=barbican_pkcs11_plugin_conf.client_cert_content when: barbican_debug is defined tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Identify client cert content from file if set set_fact: pkcs11_client_cert_content: "{{ lookup('file', barbican_pkcs11_plugin_conf.client_cert_file_path) }}" when: barbican_pkcs11_plugin_conf.client_cert_file_path | is_str_set tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Read client cert content from variable when file content not provided set_fact: pkcs11_client_cert_content: "{{ barbican_pkcs11_plugin_conf.client_cert_content }}" when: pkcs11_client_cert_content is not defined tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Identify client key content from file if set set_fact: pkcs11_client_key_content: "{{ lookup('file', barbican_pkcs11_plugin_conf.client_key_file_path) }}" when: barbican_pkcs11_plugin_conf.client_key_file_path | is_str_set tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Read client key content from variable when file content not provided set_fact: pkcs11_client_key_content: "{{ barbican_pkcs11_plugin_conf.client_key_content }}" when: pkcs11_client_key_content is not defined tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Identify client cacert content from file if set set_fact: pkcs11_client_cacert_content: "{{ lookup('file', barbican_pkcs11_plugin_conf.client_cacert_file_path) }}" when: barbican_pkcs11_plugin_conf.client_cacert_file_path | is_str_set tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Read client cacert content from variable when file content not provided set_fact: pkcs11_client_cacert_content: "{{ barbican_pkcs11_plugin_conf.client_cacert_content }}" when: pkcs11_client_cacert_content is not defined tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Set certs path on controller when ESKM pkcs11 connector flag is set set_fact: barbican_pkcs11_client_cert_path: "{{ barbican_pkcs11_eskm_connector_client_cert_path }}" barbican_pkcs11_client_key_path: "{{ barbican_pkcs11_eskm_connector_client_key_path }}" barbican_pkcs11_client_cacert_path: "{{ barbican_pkcs11_eskm_connector_client_cacert_path }}" when: barbican_pkcs11_provider_is_eskm | is_bool_true and barbican_pkcs11_client_cert_path | is_str_set == False and barbican_pkcs11_client_key_path | is_str_set == False and barbican_pkcs11_client_cacert_path | is_str_set == False tags: - barbican - name: KEYMGR-API | _configure_pkcs11_plugin_certs | Copy PKCS11 client certs file copy: content: "{{ item.content }}" dest: "{{ item.dest }}" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: 0400 become: yes with_items: - { content: "{{ pkcs11_client_cert_content }}", dest: "{{ barbican_pkcs11_client_cert_path }}" } - { content: "{{ pkcs11_client_key_content }}", dest: "{{ barbican_pkcs11_client_key_path }}" } - { content: "{{ pkcs11_client_cacert_content }}", dest: "{{ barbican_pkcs11_client_cacert_path }}"} no_log: True register: ardana_notify_barbican_api_restart_required tags: - barbican 0707010000003B000081A40000000000000000000000015E7B82F900000348000000000000000000000000000000000000005700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_vhost.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | configure | configure barbican-api vhost become: yes template: src: barbican-api-modwsgi.conf.j2 dest: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.vhost" mode: 0644 register: ardana_notify_barbican_api_restart_required 0707010000003C000081A40000000000000000000000015E7B82F900000BEE000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_validate_plugins_conf.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | _validate_plugins_conf | Configure to default when pkcs11 and kmip plugin is not enabled set_fact: barbican_secretstore_plugins: "store_crypto" barbican_enabled_crypto_plugins: "simple_crypto" when: use_pkcs11_crypto_plugin | bool == False and use_kmip_secretstore_plugin | bool == False tags: - barbican - name: KEYMGR-API | _validate_plugins_conf | Fail that both pkcs11 and kmip plugins are enabled fail: msg: "Both pkcs11 and kmip plugin cannot be enabled at the same time" when: use_pkcs11_crypto_plugin | bool == True and use_kmip_secretstore_plugin | bool == True tags: - barbican - name: KEYMGR-API | _validate_plugins_conf | Fail when library path is not set for pkcs11 plugin fail: msg: "For pkcs11, required pkcs11 library path is not set" when: use_pkcs11_crypto_plugin | is_bool_true and barbican_pkcs11_library_path | is_str_set| bool == False tags: - barbican - name: KEYMGR-API | _validate_plugins_conf | Fail when needed pkcs11 generate mkek variables are not set fail: msg: "For pkcs11, required pkcs11 library path, passphrase or mkek label is not set" when: barbican_pkcs11_generate_labels | is_bool_true and ( barbican_pkcs11_library_path | is_str_set | bool == False or barbican_pkcs11_session_password | is_str_set | bool == False or barbican_pkcs11_mkek_label | is_str_set | bool == False) tags: - barbican - name: KEYMGR-API | _validate_plugins_conf | Fail when needed pkcs11 generate hmac variables are not set fail: msg: "For pkcs11, required pkcs11 library path, passphrase or mkek label is not set" when: barbican_pkcs11_generate_labels | is_bool_true and ( barbican_pkcs11_library_path | is_str_set | bool == False or barbican_pkcs11_session_password | is_str_set | bool == False or barbican_pkcs11_hmac_label | is_str_set | bool == False) tags: - barbican - name: KEYMGR-API | _validate_plugins_conf | Fail when needed ESKM pkcs11 generate conf variables are not set fail: msg: "For ESKM pkcs11 conf generation, required kmip host and port is not set" when: barbican_pkcs11_eskm_generate_conf | is_bool_true and ( barbican_pkcs11_eskm_kmip_host | is_str_set == False or barbican_pkcs11_eskm_kmip_port | is_str_set == False) tags: - barbican0707010000003D000081A40000000000000000000000015E7B82F9000015F5000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/configure.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | configure | echo remote user debug: msg: "ansible_ssh_user = {{ ansible_ssh_user }}" when: barbican_debug is defined - name: KEYMGR-API | configure | Set installed component specific directories path include: ../../barbican-common/tasks/_set_directories.yml vars: install_package_result: "{{ barbican_api_install_result }}" - name: KEYMGR-API | configure | set api config dir location set_fact: barbican_api_config_dir: "{{ barbican_conf_dir }}" - name: KEYMGR-API | configure | Touch the log file file: path: "{{ item }}" owner: "{{ barbican_user }}" group: "{{ barbican_centralized_log_group }}" mode: 0640 state: touch become: yes with_items: - "/var/log/barbican/barbican.log" - "/var/log/barbican/barbican-json.log" - "/var/log/barbican/barbican-api.log" - "/var/log/barbican/barbican-access.log" - "/var/log/barbican/barbican-monitor.log" tags: - barbican # Configure and set all necessary variables used in templates. # This way template can detect changes from existing file content # and notify restart if changed. Do not change/set file content # later via crudini as that will always result in changes # and hence server restart. - name: KEYMGR-API | configure | Includes features configuration playbook include: configure_features.yml - name: KEYMGR-API | configure | Copies policy, barbican.conf, paste ini, api logging, audit map vassal files template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode }}" become: yes become_user: "{{ barbican_user }}" with_items: - { src: "policy.json", dest: "{{ barbican_conf_dir }}/policy.json", mode: "0400"} - { src: "barbican.conf.j2", dest: "{{ barbican_conf_dir }}/{{ barbican_api_conf_file }}", mode: "0600"} - { src: "barbican-api-paste.ini.j2", dest: "{{ barbican_conf_dir }}/barbican-api-paste.ini", mode: "0600"} - { src: "api-logging.conf.j2", dest: "{{ barbican_conf_dir }}/api-logging.conf", mode: "0600"} - { src: "api_audit_map.conf.j2", dest: "{{ barbican_conf_dir }}/api_audit_map.conf", mode: "0400"} - { src: "vassals_barbican-api.ini.j2", dest: "{{ barbican_conf_dir }}/vassals/barbican-api.ini", mode: "0600"} register: ardana_notify_barbican_api_restart_required tags: - barbican - name: KEYMGR-API | configure | notify api restart if changed debug: msg: "barbican api conf file(s) have changed so barbican-api restart needed" when: ardana_notify_barbican_api_restart_required.changed - name: KEYMGR-API | configure | Create barbican WSGI directory become: yes file: path: "{{ www_root }}/barbican" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: 0755 state: directory tags: - barbican - name: KEYMGR-API | configure | Create symbolic link for the barbican-api startup become: yes file: src: "{{ barbican_venv_dir }}/bin/barbican-wsgi-api" dest: "{{ www_root }}/barbican/api" owner: root group: root state: link - name: KEYMGR-API | configure | Configure the barbican_api_server vhost (SUSE) include: _configure_vhost.yml - name: KEYMGR-API | configure | Create barbican conf symlinks become: yes file: src: "{{ barbican_conf_dir }}/{{ item }}" dest: "/etc/barbican/{{ item }}" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" state: link with_items: - "{{ barbican_api_conf_file }}" - barbican-api-paste.ini - api_audit_map.conf - api-logging.conf - policy.json - vassals/barbican-api.ini tags: - barbican - name: KEYMGR-API | configure | echo ardanauser_home debug: msg: "ardanauser_home = {{ ardanauser_home }}" - name: KEYMGR-API | configure | Copy barbican client env file template: src: "{{ item }}" dest: "{{ ardanauser_home }}" owner: "{{ ardanauser }}" group: "{{ ardanauser }}" mode: "0600" with_items: - barbican.osrc tags: - barbican - name: KEYMGR-API | configure | Copy barbican client env file to deployer template: src: "{{ item }}" dest: "{{ ardanauser_home }}" owner: "{{ ardanauser }}" group: "{{ ardanauser }}" mode: "0600" delegate_to: localhost with_items: - barbican.osrc tags: - barbican - name: KEYMGR-API | configure | Create/Upgrade Barbican database via barbican-manage command script command: > "{{ barbican_bin_dir }}/barbican-manage" db upgrade {{ barbican_database_connection_string }} --version "{{ barbican_db_version }}" run_once: True become: yes become_user: "{{ barbican_user }}" tags: - barbican - name: KEYMGR-API | configure | Create barbican-manage command symlink become: yes file: src: "{{ barbican_bin_dir }}/{{ item }}" dest: "/usr/local/bin/{{ item }}" state: link with_items: - "barbican-manage" tags: - barbican 0707010000003E000081A40000000000000000000000015E7B82F900000433000000000000000000000000000000000000005900000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/configure_features.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: _configure_deployment_options.yml - include: _configure_auditing.yml - include: _configure_kmip_plugin_certs.yml when: barbican_kmip_plugin_conf is defined - include: _configure_kmip_plugin.yml # ESKM pkcs11 package is available as debian only - include: _configure_pkcs11_plugin.yml when: ansible_os_family | lower == 'debian' - include: _validate_plugins_conf.yml - include: _configure_master_key.yml 0707010000003F000081A40000000000000000000000015E7B82F900000FAD000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/install.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Some of these libraries are already in base node install. No harm in listing # here. # python-httplib2 is an ansible dependency for the module uri - name: KEYMGR-API | install | Install OS specific required packages (legacy) become: yes package: state: present name: "{{ item }}" with_items: barbican_package_dependencies tags: - barbican - name: KEYMGR-API | install | Install OS specific required packages become: yes package: state: present name: "{{ item }}" with_items: - crudini when: deployer_media_legacy_layout|bool == False tags: - barbican - name: KEYMGR-API | install | Add group '{{ barbican_group }}' become: yes group: name: "{{ barbican_group }}" state: present tags: - barbican - name: KEYMGR-API | install | Add user '{{ barbican_user }}' become: yes user: name: "{{ barbican_user }}" group: "{{ barbican_group }}" createhome: yes home: "{{ barbican_home_dir }}" shell: /bin/true state: present tags: - barbican - name: KEYMGR-API | install | Update Home directory permission become: yes file: path: "{{ barbican_home_dir }}" mode: 0750 state: directory tags: - barbican - name: KEYMGR-API | install | Update venv cache become: yes install_package: cache: update - name: KEYMGR-API | install | Install Barbican from barbican venv become: yes install_package: name: barbican service: "{{ barbican_api_service_name }}" state: present activate: act_off register: barbican_api_install_result notify: barbican_api_config_change tags: - barbican - name: KEYMGR-API | install | Install packge result echo debug: msg: "barbican_api_install_result = {{ barbican_api_install_result }}" - include: ../../barbican-common/tasks/_set_directories.yml vars: install_package_result: "{{ barbican_api_install_result }}" - name: KEYMGR-API | install | Create barbican config directories only become: yes file: path: "{{ item.name }}" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: "{{ item.mode }}" state: "directory" with_items: - { name: "{{ barbican_conf_dir }}", mode: "0755" } - { name: "{{ barbican_conf_dir }}/vassals", mode: "0755" } - { name: "{{ barbican_conf_dir }}/ssl/certs", mode: "0755" } tags: - barbican - name: KEYMGR-API | install | Create /etc/barbican directories only become: yes file: path: "{{ item.name }}" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: "{{ item.mode }}" state: "directory" with_items: - { name: /etc/barbican, mode: "u+rwx,g+rx,o+rx" } - { name: /etc/barbican/vassals, mode: "u+rwx,g+rx,o+rx" } - { name: /etc/barbican/ssl/certs, mode: "u+rwx,g-rx,o-rx" } tags: - barbican - name: KEYMGR-API | install | print venv debug: msg: "Barbican venv dir = {{ barbican_venv_dir }}, bin dir = {{ barbican_bin_dir }}, conf dir = {{ barbican_conf_dir }}, share dir = {{ barbican_share_dir }}" tags: - barbican - barbican_debug when: barbican_debug is defined - name: KEYMGR-API | install | Create logging directory become: yes file: path: /var/log/barbican owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: 0755 state: directory tags: - barbican 07070100000040000081A40000000000000000000000015E7B82F9000007B2000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/keystone_change_pwd.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | keystone_change_pwd | Get a domain scoped token keystone_v3: endpoint: "{{ keystone.admin_url }}/v3" login_username: "{{ keystone.admin_user }}" login_password: "{{ keystone.admin_password }}" login_user_domain_name: "{{ keystone.default_domain_name }}" login_domain_name: "{{ keystone.default_domain_name }}" action: "token_get" register: domain_scoped_token_result run_once: True tags: - barbican - name: KEYMGR-API | keystone_change_pwd | Update Barbican Service User password keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" action: "reset_password_by_admin" user_name: "{{ barbican_service_user }}" user_password: "{{ barbican_service_password }}" user_domain_name: "{{ barbican_admin_domain_name }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_change_pwd | Update Barbican Admin User password keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" action: "reset_password_by_admin" user_name: "{{ barbican_admin_user }}" user_password: "{{ barbican_admin_user_password }}" user_domain_name: "{{ barbican_admin_domain_name }}" run_once: True tags: - barbican 07070100000041000081A40000000000000000000000015E7B82F900001ABC000000000000000000000000000000000000005400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/keystone_conf.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | keystone_conf | Get a domain scoped token keystone_v3: endpoint: "{{ keystone.admin_url }}/v3" login_username: "{{ keystone.admin_user }}" login_password: "{{ keystone.admin_password }}" login_user_domain_name: "{{ keystone.default_domain_name }}" login_domain_name: "{{ keystone.default_domain_name }}" action: "token_get" register: domain_scoped_token_result run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create Barbican Service User become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" action: "create_user" user_name: "{{ barbican_service_user }}" user_password: "{{ barbican_service_password }}" description: "Bootstrap Account: Service User used by Barbican for token validation (created via barbican deploy)" user_domain_name: "{{ barbican_admin_domain_name }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create Barbican Admin User become: yes keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" action: "create_user" user_name: "{{ barbican_admin_user }}" user_password: "{{ barbican_admin_user_password }}" description: "Bootstrap Account: Barbican Service Admin user (created via barbican deploy)" user_domain_name: "{{ barbican_admin_domain_name }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create Barbican specific roles keystone_v3: login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" action: "create_role" role_name: "{{ item.role_name }}" description: "{{ item.description }}" with_items: - { role_name: "{{ barbican_creator_role }}", description: "Bootstrap Role: creator role (created via barbican deploy)" } - { role_name: "{{ barbican_observer_role }}", description: "Bootstrap Role: observer role (created via barbican deploy)" } - { role_name: "{{ barbican_auditor_role }}", description: "Bootstrap Role: auditor role (created via barbican deploy)" } - { role_name: "{{ barbican_admin_role }}", description: "Bootstrap Role: admin role (created via barbican deploy)" } - { role_name: "{{ barbican_service_admin_role }}", description: "Bootstrap Role: service admin role (created via barbican deploy)" } run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create role assignment for Barbican service user with keystone service role in service project become: yes keystone_v3: action: "grant_project_role" login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" user_name: "{{ barbican_service_user }}" project_name: "{{ keystone.service_tenant_name }}" user_domain_name: "{{ barbican_admin_domain_name }}" project_domain_name: "{{ barbican_admin_domain_name }}" role_name: "{{ keystone_service_role }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create role assignment for Barbican admin user with Keystone admin role in admin project become: yes keystone_v3: action: "grant_project_role" login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" user_name: "{{ barbican_admin_user }}" project_name: "{{ keystone.admin_tenant_name }}" user_domain_name: "{{ barbican_admin_domain_name }}" project_domain_name: "{{ barbican_admin_domain_name }}" role_name: "{{ keystone.admin_role }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create role assignment for Barbican admin user with Barbican admin role in admin project become: yes keystone_v3: action: "grant_project_role" login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" user_name: "{{ barbican_admin_user }}" project_name: "{{ keystone.admin_tenant_name }}" user_domain_name: "{{ barbican_admin_domain_name }}" project_domain_name: "{{ barbican_admin_domain_name }}" role_name: "{{ barbican_admin_role }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create role assignment for Barbican admin user with Barbican service admin role in admin project become: yes keystone_v3: action: "grant_project_role" login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" user_name: "{{ barbican_admin_user }}" project_name: "{{ keystone.admin_tenant_name }}" user_domain_name: "{{ barbican_admin_domain_name }}" project_domain_name: "{{ barbican_admin_domain_name }}" role_name: "{{ barbican_service_admin_role }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create role assignment for Keystone admin user with Barbican admin role in admin project become: yes keystone_v3: action: "grant_project_role" login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" user_name: "{{ keystone.admin_user }}" project_name: "{{ keystone.admin_tenant_name }}" user_domain_name: "{{ barbican_admin_domain_name }}" project_domain_name: "{{ barbican_admin_domain_name }}" role_name: "{{ barbican_admin_role }}" run_once: True tags: - barbican - name: KEYMGR-API | keystone_conf | Create role assignment for Keystone admin user with Barbican service admin role in admin project become: yes keystone_v3: action: "grant_project_role" login_token: "{{ domain_scoped_token_result.result }}" endpoint: "{{ keystone.admin_url }}/v3" user_name: "{{ keystone.admin_user }}" project_name: "{{ keystone.admin_tenant_name }}" user_domain_name: "{{ barbican_admin_domain_name }}" project_domain_name: "{{ barbican_admin_domain_name }}" role_name: "{{ barbican_service_admin_role }}" run_once: True tags: - barbican 07070100000042000081A40000000000000000000000015E7B82F9000007DD000000000000000000000000000000000000004C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/start.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Restart or start Barbican API - name: KEYMGR-API | start | Activate the latest install install_package: name: barbican service: "{{ barbican_api_service_name }}" activate: act_on version: "{{ barbican_api_install_result.version }}" become: yes when: barbican_api_install_result is defined register: barbican_api_activate_result tags: - barbican - name: KEYMGR-API | start | Activate barbican packge result echo debug: msg: "barbican_api_activate_result = {{ barbican_api_activate_result }}" when: barbican_api_activate_result is defined - name: KEYMGR-API | start | Enable barbican_api_server vhost (apache) file: src: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.vhost" dest: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.conf" state: link become: yes register: barbican_api_a2_enable_vhost_result - name: KEYMGR-API | start | Restart or start Barbican API (apache) include: "{{ playbook_dir }}/roles/FND-AP2/tasks/start_reload.yml" vars: apache_reload_requested: "{{ barbican_api_a2_enable_vhost_result is defined and barbican_api_a2_enable_vhost_result.changed }}" apache_restart_requested: "{{ ( ardana_notify_barbican_api_restart_required is defined and ardana_notify_barbican_api_restart_required.changed ) or barbican_api_restart_required }}" 07070100000043000081A40000000000000000000000015E7B82F9000005A0000000000000000000000000000000000000004D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/status.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | status | Add some delay pause: seconds: 3 - name: KEYMGR-API | status | Register barbican status uri: url: "http://{{ barbican_api_network_address }}:{{ barbican_api_port }}" status_code: 300 timeout: 600 register: barbican_status_result failed_when: False tags: - barbican - name: KEYMGR-API | status | Check status debug: msg: "Barbican Status is {{ barbican_status_result }}" when: barbican_status_result - name: KEYMGR-API | status | Register local barbican status uri: url: "http://127.0.0.1:{{ barbican_api_port }}" status_code: 300 timeout: 600 register: barbican_status_result when: barbican_status_result.status is not defined or barbican_status_result.status != 300 tags: - barbican 07070100000044000081A40000000000000000000000015E7B82F9000003C2000000000000000000000000000000000000004B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/stop.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-API | stop | Disable Barbican API vhost (apache) file: state: absent path: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.conf" become: yes - name: KEYMGR-API | stop | Reload apache so that Barbican API is stopped (apache) service: name: apache2 state: reloaded become: yes 07070100000045000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates07070100000046000081A40000000000000000000000015E7B82F900000A3B000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/api-logging.conf.j2{# # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} [loggers] keys: root, iso8601{%- if barbican_api_audit_enable|bool %}, audit{% endif %} [handlers] keys: watchedfile, logstash{%- if barbican_api_audit_enable|bool %}, auditfile{% endif %} [formatters] keys: debug,minimal, normal, logstash ########### # Loggers # ########### [logger_root] qualname: root handlers: watchedfile, logstash level: NOTSET [logger_iso8601] qualname: iso8601 handlers: watchedfile, logstash level: INFO {%- if barbican_api_audit_enable|bool %} [logger_audit] qualname: oslo.messaging.notification.audit handlers: auditfile propagate: 0 level: INFO {% endif %} ################ # Log Handlers # ################ # Writes to disk [handler_watchedfile] class: handlers.WatchedFileHandler args: ('/var/log/barbican/barbican.log',) formatter = debug level: {{ barbican_loglevel }} # Writes JSON to disk, beaver will ship to logstash [handler_logstash] class: handlers.WatchedFileHandler args: ('/var/log/barbican/barbican-json.log',) formatter= logstash level: {{ barbican_logstash_loglevel }} {%- if barbican_api_audit_enable|bool %} [handler_auditfile] class: handlers.WatchedFileHandler args: ('{{ barbican_audit_log_base_location }}/barbican/barbican-audit.log',) formatter = minimal level: INFO {% endif %} ################## # Log Formatters # ################## [formatter_minimal] format=%(message)s [formatter_normal] format=(%(name)s): %(asctime)s %(levelname)s %(message)s [formatter_debug] format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s # datefmt must be set otherwise you end up with too many (msecs) fields [formatter_context] class: oslo_log.formatters.ContextFormatter args: (datefmt=datefmt) format: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s datefmt: %Y-%m-%d %H:%M:%S # the "format" attr actually sets the "type" [formatter_logstash] class = logstash.LogstashFormatterVersion1 format = barbican 07070100000047000081A40000000000000000000000015E7B82F900000473000000000000000000000000000000000000005C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/api_audit_map.conf.j2{# # # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} [DEFAULT] # default target endpoint type # should match the endpoint type defined in service catalog target_endpoint_type = key-manager # map urls ending with specific text to a unique action [custom_actions] secrets/get = read/list acl/get = read # possible end path of api requests [path_keywords] #defaults = None secrets= containers= orders= #cas=None quotas= # map endpoint type defined in service catalog to CADF typeURI [service_endpoints] key-manager = service/security/keymanager 07070100000048000081A40000000000000000000000015E7B82F90000047D000000000000000000000000000000000000006300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican-api-modwsgi.conf.j2{# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} Listen {{ barbican_api_network_address }}:{{ barbican_api_port }} <VirtualHost {{ barbican_api_network_address }}:{{ barbican_api_port }}> WSGIDaemonProcess barbican-api user={{ barbican_user }} group={{ barbican_group }} processes=3 threads=4 python-path={{ barbican_venv_dir }}:{{barbican_venv_dir }}/lib/python2.7/site-packages/ display-name=barbican-api WSGIScriptAlias / {{ www_root }}/barbican/api WSGIProcessGroup barbican-api ErrorLog /var/log/barbican/barbican-api.log CustomLog /var/log/barbican/barbican-api.log combined </VirtualHost> 07070100000049000081A40000000000000000000000015E7B82F900000A9A000000000000000000000000000000000000006000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican-api-paste.ini.j2{# # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} [composite:main] use = egg:Paste#urlmap /: barbican_version /v1: barbican-api-keystone # Use this pipeline for Barbican API - versions no authentication [pipeline:barbican_version] pipeline = cors http_proxy_to_wsgi versionapp # Use this pipeline for Barbican API - DEFAULT no authentication [pipeline:barbican_api] pipeline = cors http_proxy_to_wsgi unauthenticated-context apiapp #Use this pipeline to activate a repoze.profile middleware and HTTP port, # to provide profiling information for the REST API processing. [pipeline:barbican-profile] pipeline = cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp #Use this pipeline for keystone auth [pipeline:barbican-api-keystone] pipeline = cors http_proxy_to_wsgi authtoken context {{ audit_filter }} apiapp #Use this pipeline for keystone auth with audit feature [pipeline:barbican-api-keystone-audit] pipeline = http_proxy_to_wsgi authtoken context audit apiapp [app:apiapp] paste.app_factory = barbican.api.app:create_main_app [app:versionapp] paste.app_factory = barbican.api.app:create_version_app [filter:simple] paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory [filter:unauthenticated-context] paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory [filter:context] paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory [filter:audit] paste.filter_factory = keystonemiddleware.audit:filter_factory audit_map_file = {{ barbican_conf_dir }}/api_audit_map.conf [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory [filter:profile] use = egg:repoze.profile log_filename = myapp.profile cachegrind_filename = cachegrind.out.myapp discard_first_request = true path = /__profile__ flush_at_shutdown = true unwind = false [filter:cors] paste.filter_factory = oslo_middleware.cors:filter_factory oslo_config_project = barbican [filter:http_proxy_to_wsgi] paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory 0707010000004A000081A40000000000000000000000015E7B82F900003B02000000000000000000000000000000000000005700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican.conf.j2{# # # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} # Please don't change any values under curly braces [DEFAULT] # Show more verbose log output (sets INFO log level output) #verbose = True # Show debugging output in logs (sets DEBUG log level output) #debug = True # Address to bind the API server #bind_host = {{ barbican_api_network_address }} # Port to bind the API server to #bind_port = {{ barbican_api_port }} # Host name, for use in HATEOS-style references # Note: Typically this would be the load balanced endpoint that clients would use # communicate back with this service. # host_href = {{ barbican_internal_endpoint }} host_href = # Log to this file. Make sure you do not set the same log # file for both the API and registry servers! #log_file = /var/log/barbican/api.log log_config_append = "{{ barbican_conf_dir }}/{{ logging_conf_file_name }}" # Backlog requests when creating socket backlog = 4096 # TCP_KEEPIDLE value in seconds when creating socket. # Not supported on OS X. #tcp_keepidle = 600 # Maximum allowed http request size against the barbican-api max_allowed_secret_in_bytes = 10000 max_allowed_request_size_in_bytes = 1000000 # SQLAlchemy connection string for the reference implementation # registry server. Any valid SQLAlchemy connection string is fine. # See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine # Uncomment this for local dev, putting db in project directory: #sql_connection = sqlite:///barbican.sqlite # Note: For absolute addresses, use '////' slashes after 'sqlite:' # Uncomment for a more global development environment sql_connection = {{ barbican_database_connection_string }} # Don't auto create/upgrade database as part of server startup db_auto_create = False # Period in seconds after which SQLAlchemy should reestablish its connection # to the database. # # MySQL uses a default `wait_timeout` of 8 hours, after which it will drop # idle connections. This can result in 'MySQL Gone Away' exceptions. If you # notice this, you can lower this value to ensure that SQLAlchemy reconnects # before MySQL can drop the connection. sql_idle_timeout = 3600 # Accepts a class imported from the sqlalchemy.pool module, and handles the # details of building the pool for you. If commented out, SQLAlchemy # will select based on the database dialect. Other options are QueuePool # (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy # management of connections). # See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details. sql_pool_class = QueuePool sql_retry_interval=1 sql_max_retries=60 # Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level # output) if specified. #sql_pool_logging = True # Size of pool used by SQLAlchemy. This is the largest number of connections # that will be kept persistently in the pool. Can be set to 0 to indicate no # size limit. To disable pooling, use a NullPool with sql_pool_class instead. # Comment out to allow SQLAlchemy to select the default. sql_pool_size = 5 # The maximum overflow size of the pool used by SQLAlchemy. When the number of # checked-out connections reaches the size set in sql_pool_size, additional # connections will be returned up to this limit. It follows then that the # total number of simultaneous connections the pool will allow is # sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no # overflow limit, so no limit will be placed on the total number of concurrent # connections. Comment out to allow SQLAlchemy to select the default. sql_pool_max_overflow = 10 # Default page size for the 'limit' paging URL parameter. default_limit_paging = 10 # Maximum page size for the 'limit' paging URL parameter. max_limit_paging = 100 # Role used to identify an authenticated user as administrator #admin_role = admin # Allow unauthenticated users to access the API with read-only # privileges. This only applies when using ContextMiddleware. #allow_anonymous_access = False # Allow access to version 1 of barbican api #enable_v1_api = True # Allow access to version 2 of barbican api #enable_v2_api = True # ================= SSL Options =============================== # Certificate file to use when starting API server securely #cert_file = {{ barbican_api_ssl_client_key }} # Private key file to use when starting API server securely #key_file = {{ barbican_api_ssl_client_cert }} # CA certificate file to use to verify connecting clients #ca_file = {{ barbican_api_ssl_ca_cert }} # ================= Security Options ========================== # AES key for encrypting store 'location' metadata, including # -- if used -- Swift or S3 credentials # Should be set to a random string of length 16, 24 or 32 bytes #metadata_encryption_key = <16, 24 or 32 char registry metadata key> # For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset': # For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/ transport_url = {{ barbican_transport_url }} # oslo notification driver for sending audit events via audit middleware. # Meaningful only when middleware is enabled in barbican paste ini file. # This is oslo config MultiStrOpt so can be defined multiple times in case # there is need to route audit event to messaging as well as log. # notification_driver = messagingv2 # notification_driver = log notification_driver = {{ notification_driver_name }} # ================= Queue Options - oslo.messaging ========================== [oslo_messaging_rabbit] # Rabbit and HA configuration: #ampq_durable_queues = True ssl = {{ barbican_rabbit_use_ssl }} [keystone_authtoken] auth_type = password auth_url = {{ keystone.identity_url }} username = {{ barbican_service_user }} password = {{ barbican_service_password }} user_domain_name = {{ keystone.default_domain_name }} project_name = {{ keystone.service_tenant_name }} project_domain_name = {{ keystone.default_domain_name }} cafile = {{ keystone.ca_file }} service_token_roles_required = true service_token_roles = admin memcached_servers = {{ memcached_servers }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} memcache_pool_socket_timeout = 1 # ======== OpenStack policy - oslo_policy =============== [oslo_policy] # ======== OpenStack policy integration # JSON file representing policy (string value) policy_file=/etc/barbican/policy.json # Rule checked when requested rule is not found (string value) policy_default_rule=default # ================= Queue Options - Application ========================== [queue] # Enable queuing asynchronous messaging. # Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode) enable = False # Namespace for the queue namespace = 'barbican' # Topic for the queue topic = 'barbican.workers' # Version for the task API version = '1.1' # Server name for RPC service server_name = 'barbican.queue' # Number of asynchronous worker processes. # When greater than 1, then that many additional worker processes are # created for asynchronous worker functionality. asynchronous_workers = 1 # ================= Retry/Scheduler Options ========================== [retry_scheduler] # Seconds (float) to wait between starting retry scheduler initial_delay_seconds = 10.0 # Seconds (float) to wait between starting retry scheduler periodic_interval_max_seconds = 10.0 # ====================== Quota Options =============================== [quotas] # For each resource, the default maximum number that can be used for # a project is set below. This value can be overridden for each # project through the API. A negative value means no limit. A zero # value effectively disables the resource. # default number of secrets allowed per project quota_secrets = -1 # default number of orders allowed per project quota_orders = -1 # default number of containers allowed per project quota_containers = -1 # default number of consumers allowed per project quota_consumers = -1 # default number of CAs allowed per project quota_cas = -1 # ================= Keystone Notification Options - Application =============== [keystone_notifications] # Keystone notification functionality uses transport related configuration # from barbican common configuration as defined under # 'Queue Options - oslo.messaging' comments. # The HA related configuration is also shared with notification server. # True enables keystone notification listener functionality. enable = False # The default exchange under which topics are scoped. # May be overridden by an exchange name specified in the transport_url option. control_exchange = 'openstack' # Keystone notification queue topic name. # This name needs to match one of values mentioned in Keystone deployment's # 'notification_topics' configuration e.g. # notification_topics=notifications, barbican_notifications # Multiple servers may listen on a topic and messages will be dispatched to one # of the servers in a round-robin fashion. That's why Barbican service should # have its own dedicated notification queue so that it receives all of Keystone # notifications. topic = 'notifications' # True enables requeue feature in case of notification processing error. # Enable this only when underlying transport supports this feature. allow_requeue = False # Version of tasks invoked via notifications version = '1.0' # Define the number of max threads to be used for notification server # processing functionality. thread_pool_size = 10 # ================= Secret Store Plugin =================== [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = {{ barbican_secretstore_plugins }} # ================= Crypto plugin =================== [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = {{ barbican_enabled_crypto_plugins }} [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = "{{ barbican_simple_crypto_master_key | barbican_master_key_decrypt }}" [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' ca_expiration_time = 1 plugin_working_dir = '/etc/barbican/dogtag' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = "{{ barbican_pkcs11_library_path }}" # Password to login to PKCS11 session login = "{{ barbican_pkcs11_session_password }}" # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = "{{ barbican_pkcs11_mkek_label }}" # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = "{{ barbican_pkcs11_hmac_label }}" # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = {{ barbican_pkcs11_slot_id }} # Enable Read/Write session with the HSM? # rw_session = True # Length of Project KEKs to create # pkek_length = 32 # How long to cache unwrapped Project KEKs pkek_cache_ttl = {{ barbican_pkcs11_project_kek_cache_ttl_secs }} # Max number of items in pkek cache pkek_cache_limit = {{ barbican_pkcs11_project_kek_cache_size }} # Disable in case plugin iv generation is not needed e.g. for FIPS enabled HSM generate_iv = True # ================== KMIP plugin ===================== [kmip_plugin] username = {{ barbican_kmip_username }} password = {{ barbican_kmip_password }} host = {{ barbican_kmip_host }} port = {{ barbican_kmip_port }} keyfile = {{ barbican_kmip_client_key_path }} certfile = {{ barbican_kmip_client_cert_path }} ca_certs = {{ barbican_kmip_client_cacert_path }} # ================= Certificate plugin =================== [certificate] namespace = barbican.certificate.plugin enabled_certificate_plugins = simple_certificate enabled_certificate_plugins = snakeoil_ca [certificate_event] namespace = barbican.certificate.event.plugin enabled_certificate_event_plugins = simple_certificate_event [snakeoil_ca_plugin] ca_cert_path = /etc/barbican/snakeoil-ca.crt ca_cert_key_path = /etc/barbican/snakeoil-ca.key ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b subca_cert_key_directory=/etc/barbican/snakeoil-cas [cors] # # From oslo.middleware.cors # # Indicate whether this resource may be shared with the domain # received in the requests "origin" header. (list value) #allowed_origin = <None> # Indicate that the actual request can include user credentials # (boolean value) #allow_credentials = true # Indicate which headers are safe to expose to the API. Defaults to # HTTP Simple Headers. (list value) #expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles # Maximum cache age of CORS preflight requests. (integer value) #max_age = 3600 # Indicate which methods can be used during the actual request. (list # value) #allow_methods = GET,PUT,POST,DELETE,PATCH # Indicate which header field names may be used during the actual # request. (list value) #allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles [cors.subdomain] # # From oslo.middleware.cors # # Indicate whether this resource may be shared with the domain # received in the requests "origin" header. (list value) #allowed_origin = <None> # Indicate that the actual request can include user credentials # (boolean value) #allow_credentials = true # Indicate which headers are safe to expose to the API. Defaults to # HTTP Simple Headers. (list value) #expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles # Maximum cache age of CORS preflight requests. (integer value) #max_age = 3600 # Indicate which methods can be used during the actual request. (list # value) #allow_methods = GET,PUT,POST,DELETE,PATCH # Indicate which header field names may be used during the actual # request. (list value) #allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles 0707010000004B000081A40000000000000000000000015E7B82F900000647000000000000000000000000000000000000005400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican.osrc{# # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} # Environment variables for Barbican client API. #export OS_URL={{ keystone.admin_url }}/v3 unset OS_DOMAIN_NAME unset OS_PROJECT_NAME unset OS_PROJECT_DOMAIN_NAME export OS_PROJECT_NAME={{ keystone.admin_tenant_name }} # Either Project ID or Project Name is required #export OS_PROJECT_DOMAIN_ID= export OS_PROJECT_DOMAIN_NAME={{barbican_admin_domain_name}} # Either Domain User ID or Domain User Name is required #export OS_USER_DOMAIN_ID= export OS_USER_DOMAIN_NAME={{barbican_admin_domain_name}} # Either User ID or Username can be used #export OS_USER_ID = export OS_USERNAME={{ barbican_admin_user }} export OS_PASSWORD={{ barbican_admin_user_password }} export OS_ENDPOINT_TYPE=internalURL # OS_AUTH_URL should be your location of Keystone # Barbican Client defaults to Keystone V3 export OS_AUTH_URL="{{ keystone.auth_url }}/v3" export BARBICAN_INTERFACE=internal export OS_IDENTITY_API_VERSION=3 export OS_CACERT={{ trusted_ca_bundle }} 0707010000004C000081A40000000000000000000000015E7B82F9000001EB000000000000000000000000000000000000006000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican_api_server_start#!/usr/bin/env python from paste import deploy from paste import httpserver def run(): #prop_dir = "{{ barbican_conf_dir }}" prop_dir = "/etc/barbican" application = deploy.loadapp( 'config:{prop_dir}/barbican-api-paste.ini'.format(prop_dir=prop_dir), name='main') httpserver.serve(application, host="{{ barbican_api_network_address }}", port='{{ barbican_api_port }}', daemon_threads=True) if __name__ == '__main__': run() 0707010000004D000081A40000000000000000000000015E7B82F900000612000000000000000000000000000000000000005300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/generate_kek#!/usr/bin/env python # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # import base64 import os import os.path import imp import sys path = os.path.dirname(os.path.realpath(__file__)) ardanaencrypt = imp.load_source('ardanaencrypt', path + '/../../../ardanaencrypt.py') encryption_class = 'openssl' ardanaencrypt_class = getattr(ardanaencrypt, encryption_class) def generate_key(num_bytes=32, oldKey=None): value = base64.urlsafe_b64encode(os.urandom(num_bytes)) if(len(sys.argv) > 1): value = sys.argv[1] # Make sure input value is not encrypted already if (value.startswith(ardanaencrypt_class.prefix) or value.startswith(ardanaencrypt_class.legacy_prefix)): return value obj = ardanaencrypt_class() # More base64 encoding to avoid any new line or special chars result = obj.prefix + base64.urlsafe_b64encode(obj.encrypt(value)) return result if __name__ == '__main__': print generate_key() 0707010000004E000081A40000000000000000000000015E7B82F900001A3E000000000000000000000000000000000000005200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/policy.json{# # # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} { "admin": "role:{{ barbican_admin_role }}", "observer": "role:{{ barbican_observer_role }}", "creator": "role:{{ barbican_creator_role }}", "audit": "role:{{ barbican_auditor_role }}", "service_admin": "role:{{ barbican_service_admin_role }}", "admin_or_user_does_not_work": "project_id:%(project_id)s", "admin_or_user": "rule:admin or project_id:%(project_id)s", "admin_or_creator": "rule:admin or rule:creator", "all_but_audit": "rule:admin or rule:observer or rule:creator", "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin", "secret_project_match": "project:%(target.secret.project_id)s", "secret_acl_read": "'read':%(target.secret.read)s", "secret_private_read": "'False':%(target.secret.read_project_access)s", "secret_creator_user": "user:%(target.secret.creator_id)s", "container_project_match": "project:%(target.container.project_id)s", "container_acl_read": "'read':%(target.container.read)s", "container_private_read": "'False':%(target.container.read_project_access)s", "container_creator_user": "user:%(target.container.creator_id)s", "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read", "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read", "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read", "secret_project_admin": "rule:admin and rule:secret_project_match", "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user", "container_project_admin": "rule:admin and rule:container_project_match", "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user", "version:get": "@", "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", "secret:put": "rule:admin_or_creator and rule:secret_project_match", "secret:delete": "rule:secret_project_admin or rule:secret_project_creator", "secrets:post": "rule:admin_or_creator", "secrets:get": "rule:all_but_audit", "orders:post": "rule:admin_or_creator", "orders:get": "rule:all_but_audit", "order:get": "rule:all_users", "order:put": "rule:admin_or_creator", "order:delete": "rule:admin", "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", "containers:post": "rule:admin_or_creator", "containers:get": "rule:all_but_audit", "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", "container:delete": "rule:container_project_admin or rule:container_project_creator", "container_secret:post": "rule:admin", "container_secret:delete": "rule:admin", "transport_key:get": "rule:all_users", "transport_key:delete": "rule:admin", "transport_keys:get": "rule:all_users", "transport_keys:post": "rule:admin", "certificate_authorities:get_limited": "rule:all_users", "certificate_authorities:get_all": "rule:admin", "certificate_authorities:post": "rule:admin", "certificate_authorities:get_preferred_ca": "rule:all_users", "certificate_authorities:get_global_preferred_ca": "rule:service_admin", "certificate_authorities:unset_global_preferred": "rule:service_admin", "certificate_authority:delete": "rule:admin", "certificate_authority:get": "rule:all_users", "certificate_authority:get_cacert": "rule:all_users", "certificate_authority:get_ca_cert_chain": "rule:all_users", "certificate_authority:get_projects": "rule:service_admin", "certificate_authority:add_to_project": "rule:admin", "certificate_authority:remove_from_project": "rule:admin", "certificate_authority:set_preferred": "rule:admin", "certificate_authority:set_global_preferred": "rule:service_admin", "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator", "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator", "secret_acls:get": "rule:all_but_audit and rule:secret_project_match", "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator", "container_acls:delete": "rule:container_project_admin or rule:container_project_creator", "container_acls:get": "rule:all_but_audit and rule:container_project_match", "quotas:get": "rule:all_users", "project_quotas:get": "rule:service_admin", "project_quotas:put": "rule:service_admin", "project_quotas:delete": "rule:service_admin", "secret_meta:get": "rule:all_but_audit", "secret_meta:post": "rule:admin_or_creator", "secret_meta:put": "rule:admin_or_creator", "secret_meta:delete": "rule:admin_or_creator", "secretstores:get": "rule:admin", "secretstores:get_global_default": "rule:admin", "secretstores:get_preferred": "rule:admin", "secretstore_preferred:post": "rule:admin", "secretstore_preferred:delete": "rule:admin", "secretstore:get": "rule:admin" } 0707010000004F000081A40000000000000000000000015E7B82F900000929000000000000000000000000000000000000006200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/vassals_barbican-api.ini.j2{# # # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} [uwsgi] socket = {{ barbican_api_network_address }}:{{ barbican_api_port }} protocol = http cheaper-algo = spare cheaper = {{ barbican_api_min_worker_count }} cheaper-initial = {{ barbican_api_initial_worker_count }} # windows in seconds. spawns new workers if all workers are busy during this window. # uwsgi own default is 3. Increasing to 10. cheaper-overload = 10 workers = {{ barbican_api_max_worker_count }} threads = {{ barbican_api_threads_count }} # lazy-apps = true will load application after fork # lazy-apps = false , fork after loading application to share memory across workers lazy-apps = false # try to remove all of generated file/sockets vacuum = true #ignore-sigpipe = true no-default-app = true memory-report = true # kill the process instead of reloading when SIGTERM is sent. die-on-term = true #the maximum time (in seconds) we wait for workers and other processes to die during reload/shutdown reload-mercy=5 worker-reload-mercy=5 # disable-logging = true # send stdout/stderr to the log engine too pty-log = true #logger = errorlog syslog logger = monitorlog file:/var/log/barbican/barbican-monitor.log logger = file:/var/log/barbican/barbican-access.log log-route = monitorlog (GET / HTTP/1.\d) #log-route = errorlog HTTP/1.0" 500 #logto=/var/log/barbican/barbican-access.log log-format = %(host) - [%(ltime)] "%(method) %(uri) %(proto)" %(status) %(size) "%(referer)" "%(uagent)" "%(micros) micros" "rss: %(rssM) MB" "pid: %(pid)" procname-prefix-spaced = barbican-api #plugins = python venv = {{ barbican_venv_dir }} paste = config:{{ barbican_conf_dir }}/barbican-api-paste.ini #paste-logger={{ barbican_conf_dir }}/api-logging.conf #add-header = Connection: close 07070100000050000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/vars07070100000051000081A40000000000000000000000015E7B82F9000002D6000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/vars/main.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # ardanauser : "{{ ansible_env['USER'] }}" ardanauser_home: "{{ ansible_env['HOME'] }}" 07070100000052000041ED0000000000000000000000085E7B82F900000000000000000000000000000000000000000000003C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR07070100000053000081A40000000000000000000000015E7B82F9000000F8000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/README.mdREADME ====== There are different configurable entries for Barbican Worker 1. Configuration entries that go into barbican-worker.conf 2. Deployment specific configuration which are not part of barbican-worker.conf like log_level, process count etc07070100000054000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/defaults07070100000055000081A40000000000000000000000015E7B82F9000002F8000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/defaults/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- component_service_name: "{{ barbican_worker_service_name }}" logging_conf_file_name: worker-logging.conf 07070100000056000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/handlers07070100000057000081A40000000000000000000000015E7B82F9000003B4000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/handlers/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Handlers for Barbican Worker - name: restart barbican worker service: name: "{{ barbican_worker_service_name }}" state: "restarted" sleep: "20" # Handlers for Babrican worker config change - name: barbican_worker_config_change set_fact: barbican_worker_restart_required: True 07070100000058000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/meta07070100000059000081A40000000000000000000000015E7B82F9000002C1000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/meta/main.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: barbican-common - role: KEYMGR-API 0707010000005A000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks0707010000005B000081A40000000000000000000000015E7B82F900000284000000000000000000000000000000000000006400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/_configure_deployment_options.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- 0707010000005C000081A40000000000000000000000015E7B82F9000009BF000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/configure.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: ../../barbican-common/tasks/_set_directories.yml vars: install_package_result: "{{ barbican_worker_install_result }}" - name: KEYMGR-WKR | configure | Touch the log file file: path: "{{ item }}" owner: "{{ barbican_user }}" group: "{{ barbican_centralized_log_group }}" mode: 0640 state: touch become: yes with_items: - "/var/log/barbican/barbican-worker.log" - "/var/log/barbican/barbican-worker-json.log" tags: - barbican - name: KEYMGR-WKR | configure | Configure the barbican worker logging conf template: src: "../../KEYMGR-API/templates/barbican.conf.j2" dest: "{{ barbican_conf_dir }}/barbican-worker.conf" mode: "0600" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" become: yes register: ardana_notify_barbican_worker_restart_required tags: - barbican - name: KEYMGR-WKR | configure | Configure the barbican worker logging conf template: src: "worker-logging.conf.j2" dest: "{{ barbican_conf_dir }}/worker-logging.conf" mode: "0600" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" become: yes register: ardana_notify_barbican_worker_restart_required tags: - barbican - name: KEYMGR-WKR | configure | Create barbican-worker symlinks become: yes file: src: "{{ barbican_conf_dir }}/{{ item }}" dest: "/etc/barbican/{{ item }}" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" state: "link" with_items: - worker-logging.conf - barbican-worker.conf tags: - barbican - name: KEYMGR-WKR | configure | Configure the barbican_worker script become: yes template: src: "barbican_worker" dest: "{{ barbican_bin_dir }}/barbican_worker" mode: "0755" register: ardana_notify_barbican_worker_restart_required tags: - barbican 0707010000005D000081A40000000000000000000000015E7B82F9000002B1000000000000000000000000000000000000005900000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/configure_features.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - include: _configure_deployment_options.yml 0707010000005E000081A40000000000000000000000015E7B82F9000009F2000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/install.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-WKR | install | Update venv cache become: yes install_package: cache: update - name: KEYMGR-WKR | install | Install Barbican worker from barbican venv become: yes install_package: name: barbican service: "{{ barbican_worker_service_name }}" state: present activate: act_off register: barbican_worker_install_result notify: barbican_worker_config_change tags: - barbican - name: KEYMGR-WKR | install | Install Barbican package result echo debug: msg: "barbican_worker_install_result = {{ barbican_worker_install_result }}" - include: ../../barbican-common/tasks/_set_directories.yml vars: install_package_result: "{{ barbican_worker_install_result }}" - name: KEYMGR-WKR | install | Create barbican worker config directory become: yes file: path: "{{ item.name }}" owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: "{{ item.mode }}" state: "directory" recurse: "yes" with_items: - { name: "{{ barbican_conf_dir }}", mode: "u+rwx,g+rx,o+rx" } tags: - barbican - name: KEYMGR-WKR | install | Register barbican-worker as a service become: yes setup_systemd: service: "{{ barbican_worker_service_name }}" user: "{{ barbican_user }}" group: "{{ barbican_group }}" cmd: barbican_worker args: > --config-file "{{ barbican_conf_dir }}/barbican-worker.conf" tags: - barbican - name: KEYMGR-WKR | install | print venv debug: msg: "Barbican worker venv dir = {{ barbican_venv_dir }}, bin dir = {{ barbican_bin_dir }}, conf dir = {{ barbican_conf_dir }}, share dir = {{ barbican_share_dir }}" - name: KEYMGR-WKR | install | Create logging directory become: yes file: path: /var/log/barbican owner: "{{ barbican_user }}" group: "{{ barbican_group }}" mode: 0775 state: directory tags: - barbican 0707010000005F000081A40000000000000000000000015E7B82F900000776000000000000000000000000000000000000004C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/start.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # Restart or start Barbican Worker - name: KEYMGR-WKR | start | Activate the latest install become: yes install_package: name: barbican-worker service: "{{ barbican_worker_service_name }}" activate: act_on version: "{{ barbican_worker_install_result.version }}" register: barbican_worker_activate_result when: barbican_worker_install_result is defined tags: - barbican - name: KEYMGR-WKR | start | Activate barbican worker result echo debug: msg: "barbican_worker_activate_result = {{ barbican_worker_activate_result }}" when: barbican_worker_activate_result is defined - name: KEYMGR-WKR | start | Restart barbican-worker service become: yes service: name: "{{ barbican_worker_service_name }}" state: restarted when: (ardana_notify_barbican_worker_restart_required is defined and ardana_notify_barbican_worker_restart_required.changed and barbican_worker_restarted_result is not defined) or barbican_worker_restart_required register: barbican_worker_restarted_result tags: - barbican - name: KEYMGR-WKR | start | Ensure barbican-worker service is started become: yes service: name: "{{ barbican_worker_service_name }}" state: started tags: - barbican 07070100000060000081A40000000000000000000000015E7B82F90000031F000000000000000000000000000000000000004B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/stop.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: KEYMGR-WKR | stop | Stop Barbican Worker service/process service: name: "{{ barbican_worker_service_name }}" state: stopped become: yes07070100000061000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/templates07070100000062000081A40000000000000000000000015E7B82F9000000BF000000000000000000000000000000000000005600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/templates/barbican_worker#!/bin/bash CONFIG_DIR={{ barbican_conf_dir }} echo "Command line arguments: [$@]" echo "Barbican worker process." {{ barbican_bin_dir }}/python {{ barbican_bin_dir }}/barbican-worker $@ 07070100000063000081A40000000000000000000000015E7B82F900000853000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/templates/worker-logging.conf.j2{# # # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # #} [loggers] keys: root, iso8601 [handlers] keys: watchedfile, logstash [formatters] keys: debug,minimal, normal, logstash ########### # Loggers # ########### [logger_root] qualname: root handlers: watchedfile, logstash level: NOTSET [logger_iso8601] qualname: iso8601 handlers: watchedfile, logstash level: INFO ################ # Log Handlers # ################ # Writes to disk [handler_watchedfile] class: handlers.WatchedFileHandler args: ('/var/log/barbican/barbican-worker.log',) formatter = debug level: {{ barbican_loglevel }} # Writes JSON to disk, beaver will ship to logstash [handler_logstash] class: handlers.WatchedFileHandler args: ('/var/log/barbican/barbican-worker-json.log',) formatter= logstash level: {{ barbican_logstash_loglevel }} ################## # Log Formatters # ################## [formatter_minimal] format=%(message)s [formatter_normal] format=(%(name)s): %(asctime)s %(levelname)s %(message)s [formatter_debug] format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s # datefmt must be set otherwise you end up with too many (msecs) fields [formatter_context] class: oslo_log.formatters.ContextFormatter args: (datefmt=datefmt) format: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s datefmt: %Y-%m-%d %H:%M:%S # the "format" attr actually sets the "type" [formatter_logstash] class = logstash.LogstashFormatterVersion1 format = barbican 07070100000064000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/vars07070100000065000081A40000000000000000000000015E7B82F9000002DD000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/vars/main.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # wkr_ardanauser : "{{ ansible_env['USER'] }}" wkr_ardanauser_home: "{{ ansible_env['HOME'] }}" 07070100000066000041ED0000000000000000000000065E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common07070100000067000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/defaults07070100000068000081A40000000000000000000000015E7B82F900001C8B000000000000000000000000000000000000005300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/defaults/main.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- barbican_home_dir: /home/barbican barbican_user: barbican barbican_group: barbican barbican_centralized_log_group: adm service: barbican barbican_api_network_address: "{{ host.bind.KEYMGR_API.internal.ip_address }}" barbican_api_port: "{{ host.bind.KEYMGR_API.internal.port }}" barbican_bin_dir: "{{ service | bin_dir() }}" barbican_conf_dir: "{{ service | config_dir() }}/{{service}}" barbican_share_dir: "{{ service | share_dir() }}" barbican_venv_dir: "{{ service | venv_dir }}" barbican_unversioned_conf_dir: "{{ service | config_dir() }}/{{service}}" barbican_admin_domain_name: "Default" barbican_admin_role: "{{ KEYMGR_API.vars.barbican_admin_role | default (KEY_API.vars.keystone_admin_role) }}" barbican_observer_role: "key-manager:observer" barbican_creator_role: "key-manager:creator" barbican_auditor_role: "key-manager:auditor" barbican_service_admin_role: "key-manager:service-admin" keystone_service_role: service barbican_api_audit_enable: "{{ KEYMGR.audit.enabled }}" barbican_audit_log_base_location: "{{ KEYMGR.audit.dir }}" barbican_admin_user: "{{ KEYMGR_API.vars.barbican_admin_user }}" barbican_admin_user_password: "{{ KEYMGR_API.vars.barbican_admin_password | quote }}" barbican_service_user: "{{ KEYMGR_API.vars.barbican_service_user }}" barbican_service_password: "{{ KEYMGR_API.vars.barbican_service_password | quote }}" #barbican_service_password: '%random-password%' barbican_api_conf_file: barbican.conf barbican_api_service_name: barbican-api barbican_worker_service_name: barbican-worker # Keystone specific variables keystone: admin_user: "{{ KEY_API.vars.keystone_admin_user }}" admin_password: "{{ KEY_API.vars.keystone_admin_pwd | quote }}" default_domain_name: "{{ KEY_API.vars.keystone_default_domain }}" admin_tenant_name: "{{ KEY_API.vars.keystone_admin_tenant }}" service_tenant_name: "{{ KEY_API.vars.keystone_service_tenant }}" admin_role: "{{ KEY_API.vars.keystone_admin_role }}" auth_url: "{{ KEYMGR_API.consumes_KEY_API.vips.private[0].url }}" identity_url: "{{ KEYMGR_API.consumes_KEY_API.vips.private[0].url }}" admin_url: "{{ KEYMGR_API.consumes_KEY_API.vips.private[0].url }}" ca_file: "{{ trusted_ca_bundle }}" memcached_servers: "{% for x in KEYMGR.consumes_FND_MEM.members.private %}{{ x.host }}:{{ x.port }}{%if not loop.last %},{% endif %}{% endfor %}" memcache_secret_key: "{{ KEYMGR.consumes_FND_MEM.vars.memcached.barbican.secret_key | quote }}" barbican_db_ca_file: "{{ trusted_ca_bundle }}" barbican_database_connection_string: "mysql+pymysql://{{ KEYMGR_API.consumes_FND_MDB.vars.accounts.barbican.username }}:{{ KEYMGR_API.consumes_FND_MDB.vars.accounts.barbican.password | urlencode }}@{{ KEYMGR_API.consumes_FND_MDB.vips.private[0].host }}/barbican{% if KEYMGR_API.consumes_FND_MDB.vips.private[0].use_tls %}?ssl_ca={{ barbican_db_ca_file }}{% endif %}" barbican_admin_vip_protocol: "{{ KEYMGR_API.advertises.vips.admin[0].protocol }}" barbican_admin_vip_host: "{{ KEYMGR_API.advertises.vips.admin[0].host }}" barbican_admin_vip_port: "{{ KEYMGR_API.advertises.vips.admin[0].port }}" barbican_internal_vip_protocol: "{{ KEYMGR_API.advertises.vips.private[0].protocol }}" barbican_internal_vip_host: "{{ KEYMGR_API.advertises.vips.private[0].host }}" barbican_internal_vip_port: "{{ KEYMGR_API.advertises.vips.private[0].port }}" barbican_public_vip_protocol: "{{ KEYMGR_API.advertises.vips.public[0].protocol }}" barbican_public_vip_host: "{{ KEYMGR_API.advertises.vips.public[0].host }}" barbican_public_vip_port: "{{ KEYMGR_API.advertises.vips.public[0].port }}" barbican_internal_endpoint: "{{ KEYMGR_API.advertises.vips.private[0].url }}" # Default master key used for store_crypto plugin # Mainly defined for CI/CD processing. #barbican_default_master_key: "3Z8QOImQyi2PAZUHjcqfxkcvZhPlHyXlH2wqjgwRpDI=" barbican_default_master_key: "{{ KEYMGR_API.vars.barbican_master_kek_db_plugin | b64encode }}" # Value passed to barbican configuration, keep it blank barbican_simple_crypto_master_key: barbican_pkcs11_package_name: barbican_pkcs11_slot_id: 1 barbican_pkcs11_generate_labels: False barbican_secretstore_plugins: barbican_enabled_crypto_plugins: barbican_pkcs11_eskm_generate_conf: False # ESKM specific path as defined in pkcs11 3rd party library. barbican_pkcs11_eskm_connector_base_path: "/opt/hpe/eskm_pkcs11" barbican_pkcs11_eskm_connector_library_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/lib/libhppkcs11.so" barbican_pkcs11_eskm_connector_client_cert_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/cert.pem" barbican_pkcs11_eskm_connector_client_key_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/privkey.pem" barbican_pkcs11_eskm_connector_client_cacert_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/ca.pem" barbican_pkcs11_eskm_kmip_host: barbican_pkcs11_eskm_kmip_port: 5696 barbican_pkcs11_project_kek_cache_ttl_secs: 900 barbican_pkcs11_project_kek_cache_size: 100 # Message queue variables _mq_hosts_list: "{{ KEYMGR_API.consumes_FND_RMQ.members.private | default (KEYMGR_API.consumes_FND_RMQ.members.public) }}" barbican_control_exchange: openstack barbican_notification_driver: log barbican_rabbit_user: "{{ KEYMGR.consumes_FND_RMQ.vars.accounts.barbican.username }}" barbican_rabbit_password: "{{ KEYMGR.consumes_FND_RMQ.vars.accounts.barbican.password }}" barbican_rabbit_use_ssl: "{{ KEYMGR.consumes_FND_RMQ.members.private[0].use_tls }}" barbican_rabbit_hosts_url: > {%- for x in _mq_hosts_list -%} {{ barbican_rabbit_user }}:{{ barbican_rabbit_password }}@{{ x.host }}:{{ x.port }}{%- if not loop.last -%},{%- endif -%} {%- endfor -%} barbican_transport_url: "rabbit://{{ barbican_rabbit_hosts_url }}//" barbican_api_ssl_client_key: "{{ barbican_conf_dir }}/ssl/certs/client.key" barbican_api_ssl_client_cert: "{{ barbican_conf_dir }}/ssl/certs/client.crt" barbican_api_ssl_ca_cert: "{{ barbican_conf_dir }}/ssl/certs/ca.crt" barbican_kmip_client_key_path: "/etc/barbican/ssl/certs/kmip_client.key" barbican_kmip_client_cert_path: "/etc/barbican/ssl/certs/kmip_client.crt" barbican_kmip_client_cacert_path: "/etc/barbican/ssl/certs/kmip_ca.crt" barbican_host_set: "{{ groups[verb_hosts.KEYMGR_API] | default([]) }}" # Barbican database version, head means version as per included barbican code base # Please see https://github.com/openstack/barbican/blob/stable/liberty/barbican/cmd/db_manage.py#L72 barbican_db_version: head # flag set in configure playbooks to trigger services handlers to restart barbican_restart_required: False barbican_api_restart_required: False barbican_worker_restart_required: False barbican_api_reload_required: False 07070100000069000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/meta0707010000006A000081A40000000000000000000000015E7B82F900000263000000000000000000000000000000000000004F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/meta/main.yml# (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: tls-vars 0707010000006B000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks0707010000006C000081A40000000000000000000000015E7B82F90000066B000000000000000000000000000000000000006500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/_read_existing_master_key.yml# # (c) Copyright 2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: barbican-common | _read_existing_master_key | Read existing master keks from controller shell: crudini --get /etc/barbican/{{ barbican_api_conf_file }} simple_crypto_plugin kek | sed s/\"//g ignore_errors: yes become: yes register: barbican_existing_master_kek_result when: barbican_customer_master_key is undefined or not barbican_customer_master_key - name: barbican-common | _read_existing_master_key | Use existing master key from controller if present ignore_errors: yes set_fact: barbican_simple_crypto_master_key: "{{ barbican_existing_master_kek_result.stdout }}" when: barbican_customer_master_key is undefined or not barbican_customer_master_key - name: barbican-common | _read_existing_master_key | Use customer master key if defined set_fact: barbican_simple_crypto_master_key: "{{ barbican_customer_master_key }}" when: barbican_customer_master_key is defined and barbican_customer_master_key 0707010000006D000081A40000000000000000000000015E7B82F900000418000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/_schedule_restart.yml# # (c) Copyright 2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: barbican-common | _schedule_restart | Schedule a restart for barbican-api debug: msg: "Trigger a change notification in barbican-api" changed_when: true register: ardana_notify_barbican_api_restart_required - name: barbican-common | _schedule_restart | Schedule a restart for barbican-worker debug: msg: "Trigger a change notification in barbican-worker" changed_when: true register: ardana_notify_barbican_worker_restart_required 0707010000006E000081A40000000000000000000000015E7B82F900000696000000000000000000000000000000000000005C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/_set_directories.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: barbican-common | _set_directories | set service etc directory - configure set_fact: barbican_bin_dir: "{{ component_service_name | bin_dir(install_package_result.version) }}" barbican_conf_dir: "{{ component_service_name | config_dir(install_package_result.version) }}/{{ service }}" barbican_share_dir: "{{ component_service_name | share_dir(install_package_result.version) }}" barbican_venv_dir: "{{ component_service_name | venv_dir(install_package_result.version) }}" when: install_package_result.version is defined - name: barbican-common | _set_directories | set service etc directory - reconfigure set_fact: barbican_bin_dir: "{{ component_service_name | bin_dir() }}" barbican_conf_dir: "{{ component_service_name | config_dir() }}/{{ service }}" barbican_share_dir: "{{ component_service_name | share_dir() }}" barbican_venv_dir: "{{ component_service_name | venv_dir }}" when: install_package_result.version is undefined 0707010000006F000081A40000000000000000000000015E7B82F900000985000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/main.yml# # (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- - name: barbican-common | main | include OS specific variables include_vars: "{{ ansible_os_family | lower }}.yml" - name: barbican-common | main | Include vars file with customer barbican configuration values include_vars: barbican_deploy_config.yml tags: - barbican - barbican_debug - include: _read_existing_master_key.yml - name: barbican-common | main | Set max api worker count to 8 if dynamic CPU based count is less than 8 set_fact: barbican_api_max_worker_count: 8 when: barbican_api_max_worker_count < 8 tags: - barbican - name: barbican-common | main | Increase max api worker count by 4 if incorrectly set to be less than min count value. debug: msg: "WARNING Barbican API max worker count [{{ barbican_api_max_worker_count }}] must be greater than min worker count [{{ barbican_api_min_worker_count }}]. Setting max count to be greater by 4." tags: - barbican when: barbican_api_max_worker_count|int <= barbican_api_min_worker_count|int - name: barbican-common | main | Increase max api worker count by 4 if its not set to be greater than min count value. set_fact: barbican_api_max_worker_count: "{{ barbican_api_min_worker_count + 4 }}" when: barbican_api_max_worker_count|int <= barbican_api_min_worker_count|int tags: - barbican - name: barbican-common | main | Display variables that are configured for KEYMGR-API debug: var: KEYMGR_API tags: - barbican - barbican_debug when: barbican_debug is defined run_once: True - name: barbican-common | main | Display variables for the inventory host debug: var: hostvars[inventory_hostname] tags: - barbican - barbican_debug when: barbican_debug is defined run_once: True 07070100000070000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars07070100000071000081A40000000000000000000000015E7B82F900001539000000000000000000000000000000000000006100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars/barbican_deploy_config.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # Possible log levels are INFO/DEBUG/WARN/ERROR barbican_loglevel: "{{ ardana_loglevel | default('INFO') }}" barbican_logstash_loglevel: "{{ ardana_loglevel | default('INFO') }}" ######################################################################################### # Using uwsgi adaptive process spawning to dynamically scale workers. # See http://uwsgi-docs.readthedocs.org/en/latest/Cheaper.html # cheaper-algo = spare, cheaper = 4 (min count), cheaper-initial = 6 # Set maximum number of workers that can be spawned. Max value is dynamically # calculated based on underlying hardware capability. # If dynamically calculated value is less than 8, then 8 is used. # Max count needs to be greater than min count (below). If its set to lower or equal # value, then max count is updated to be 4 higher than min count. barbican_api_max_worker_count: "{{ ansible_processor_count * ansible_processor_cores * 2| default('8') }}" # Minimum number of idle workers to be kept running. barbican_api_min_worker_count: 4 # Number of workers to create at barbican api server startup #barbican_api_initial_worker_count: 6 barbican_api_initial_worker_count: 4 # Multi-processing is used instead of threading. Threads are kept 1 # Python threading is useful in high IO load interactions. barbican_api_threads_count: 1 ######################################################################################### # Customer provided master key during first time barbican initial deployment. # The key should be a 32-byte value which is base64 encoded. # This value must be set before cloud deployment (with site.yml) starts. # Note: Master key should not be changed as there can be existing entries using # this key for encrypting barbican project kek and secrets. # barbican_customer_master_key: "3Z8QOImQyi2PAZUHjcqfxkcvZhPlHyXlH2wqjgwRpDI=" barbican_customer_master_key: ####################################################################### #################### KMIP Plugin Configuration Section ################# ####################################################################### # Flag to reflect whether KMIP plugin is to be used as backend for storing secrets use_kmip_secretstore_plugin: False # Note: Connection username needs to match with 'Common Name' provided # in client cert request (CSR). barbican_kmip_username: barbican_kmip_password: barbican_kmip_host: barbican_kmip_port: ############################################################################### #################### PKCS11 Crypto Plugin Configuration Section ############### ############################################################################### # Set to True when want to use PKCS11 crypto plugin. This plugin stores project # level kek and master kek in PKCS11 compatible HSM device. Encrypted keys are # stored in DB using 'store_crypto' secret store plugin. A deployment can use # HSM device either via PKCS11 crypto model or KMIP plugin model. Both cannot # be enabled within a single barbican deployment. use_pkcs11_crypto_plugin: False barbican_pkcs11_session_password: barbican_pkcs11_mkek_label: barbican_pkcs11_hmac_label: # There is a in-memory cache used with pkcs11 interaction where object handle # (pointer) to project kek (key encryption key) is stored. This handle is a # reference to key which is created in HSM as part of unwrap (register/import) # of 'wrapped_key' column in 'kek_data' table. This handle is added to cache # when project kek is needed first time on that specific barbican node/process. # These object handles are destoryed in HSM only when expired handle is # accessed or cache size limit is reached. This cache cannot be disabled though # value of ttl seconds or size limit can be reduced if need to limit caching # behavior. # pkcs11 project kek (key encryption key) cache time to live (expiry) seconds. barbican_pkcs11_project_kek_cache_ttl_secs: 900 # pkcs11 project kek (key encryption key) cache max size. barbican_pkcs11_project_kek_cache_size: 100 # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 # Change here if it needs to be different from default barbican_pkcs11_slot_id: 1 # Flag to set to True if ESKM is used as HSM otherwise keep it False. # With following flag set to True, playbook will use ESKM predefined path # so those are not required in that case. barbican_pkcs11_provider_is_eskm: barbican_pkcs11_eskm_kmip_host: barbican_pkcs11_eskm_kmip_port: # Following are required paths on controller nodes related to PKCS11 setup. # With flag barbican_pkcs11_provider_is_eskm as True, following paths are not # required as default expected paths are used for ESKM PKCS11 library. barbican_pkcs11_library_path: barbican_pkcs11_client_cert_path: barbican_pkcs11_client_key_path: barbican_pkcs11_client_cacert_path: 07070100000072000081A40000000000000000000000015E7B82F9000002DA000000000000000000000000000000000000005100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars/debian.yml# # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- barbican_package_dependencies: - python-dev - libffi-dev - libssl-dev - libmysqlclient18 - libldap2-dev - libsasl2-dev - python-httplib207070100000073000081A40000000000000000000000015E7B82F9000002D4000000000000000000000000000000000000004F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars/suse.yml# # (c) Copyright 2017-2018 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- barbican_package_dependencies: - apache2-mod_wsgi - libffi4 - libmysqlclient18 - libopenssl1_0_0 - logrotate - python-httplib2 07070100000074000041ED0000000000000000000000065E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor07070100000075000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/defaults07070100000076000081A40000000000000000000000015E7B82F9000002E6000000000000000000000000000000000000005400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/defaults/main.yml# # (c) Copyright 2020 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # ardana_node_cert: /etc/ssl/private/ardana-node-cert # certificate only, for monitoring purpose ardana_node_cert_monitoring: /etc/ssl/ardana-node-cert-monitoring.pem 07070100000077000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/meta07070100000078000081A40000000000000000000000015E7B82F9000002D4000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/meta/main.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- dependencies: - role: barbican-common - {role: monasca-agent, run_mode: Use}07070100000079000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004800000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks0707010000007A000081A40000000000000000000000015E7B82F900000687000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks/configure_tls.yml# # (c) Copyright 2020 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- # NOTE(gyee): Since the provisioned TLS server certificate is consisted of # both certificate and private key, we need to separate out the certificate # protion for monitoring without having to compromise the private key. # This is done by copying the certificate to a different file and make it # readable by the world. Making certificate readable by the world is NOT a # problem as it is TLS certificate is public information. - name: barbican-monitor | configure_tls | Separate out ardana node TLS cert become: yes shell: > openssl x509 -in {{ ardana_node_cert }} -out {{ ardana_node_cert_monitoring }} -outform PEM - name: barbican-monitor | configure_tls | Make sure ardana node monitoring cert is readable become: yes file: path: "{{ ardana_node_cert_monitoring }}" mode: '0644' - name: barbican-monitor | configure_tls | Run Monasca detection plugin for ardana node cert become: yes monasca_agent_plugin: name: CertificateFileCheck args: cert_files: "{{ ardana_node_cert_monitoring }}" dimensions: "service:barbican" 0707010000007B000081A40000000000000000000000015E7B82F9000006C8000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks/local_monitor.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # - name: barbican-monitor | local_monitor | Set up check on barbican wsgi process and admin endpoint locally become: yes monasca_agent_plugin: name: "barbican" args: "disable_http_check=yes" tags: - barbican - barbican_monitor - name: barbican-monitor | local_monitor | Setup active check on barbican internal become: yes monasca_agent_plugin: name: "httpcheck" args: > use_keystone=False url=http://{{ barbican_api_network_address }}:{{ item.port }} dimensions=service:key-manager,component:barbican-api,api_endpoint:{{ item.api_endpoint }},monitored_host_type:instance with_items: - [{ api_endpoint: 'internal', port: "{{ barbican_internal_vip_port }}"} ] tags: - barbican - barbican_monitor - name: barbican-monitor | local_monitor | Check ardana-node-cert become: yes stat: path: "{{ ardana_node_cert }}" register: ardana_node_cert_check_result - name: barbican-monitor | local_monitor | Monitor ardana-node-cert include: configure_tls.yml when: ardana_node_cert_check_result.stat.exists 0707010000007C000081A40000000000000000000000015E7B82F900000447000000000000000000000000000000000000005B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks/remote_monitor.yml# # (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # - name: barbican-monitor | remote_monitor | Setup http check against Barbican VIP become: yes monasca_agent_plugin: name: "httpcheck" args: > use_keystone=False url={{ item.url }}/ dimensions=service:key-manager,component:barbican-api,api_endpoint:{{ item.api_endpoint }},monitored_host_type:vip with_items: - { api_endpoint: 'internal', url: "{{ barbican_internal_endpoint }}"} tags: - barbican_monitor 0707010000007D000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/vars0707010000007E000081A40000000000000000000000015E7B82F9000002D9000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/vars/main.yml# # (c) Copyright 2015 Hewlett Packard Enterprise Development LP # (c) Copyright 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # --- ardanauser : "{{ ansible_env['USER'] }}" ardanauser_home: "{{ ansible_env['HOME'] }}"07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!442 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
