File ardana-barbican-8.0+git.1585152761.8ef3d61.obscpio of Package ardana-barbican
07070100000000000081A40000000000000000000000015E7B82F900000083000000000000000000000000000000000000003C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/.copyrightignoreroles/KEYMGR-API/templates/generate_kek
roles/KEYMGR-API/README.md
roles/KEYMGR-API/templates/api-logging.conf.j2
.copyrightignore
07070100000001000081A40000000000000000000000015E7B82F900000084000000000000000000000000000000000000003600000000ardana-barbican-8.0+git.1585152761.8ef3d61/.gitreview[gerrit]
host=gerrit.suse.provo.cloud
port=29418
project=ardana/barbican-ansible.git
defaultremote=ardana
defaultbranch=stable/pike
07070100000002000081A40000000000000000000000015E7B82F90000000C000000000000000000000000000000000000003900000000ardana-barbican-8.0+git.1585152761.8ef3d61/.rsync-filter- ardana-ci
07070100000003000081A40000000000000000000000015E7B82F90000279F000000000000000000000000000000000000003300000000ardana-barbican-8.0+git.1585152761.8ef3d61/LICENSE
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
07070100000004000081A40000000000000000000000015E7B82F9000002A1000000000000000000000000000000000000003500000000ardana-barbican-8.0+git.1585152761.8ef3d61/README.mdREADME
======
This repository contains the following roles
- KEYMGR-API: Barbican API server
- KEYMGR-WKR: Barbican worker process for async order processing
- barbican-common: Common variable and task declarations
- barbican-monitor: Local and remote monitoring of Barbican API
The verbs:
- configure - configure the service/role
- install - install the service/role
- start - start the service/role
- stop - stop the service/role
The operations:
- deploy - deploy the service (install, configure and start)
- reconfigure - reconfigures the service
Refer to README.md at roles/KEYMGR-API/ for reconfiguration instructions
07070100000005000081A40000000000000000000000015E7B82F90000036F000000000000000000000000000000000000004300000000ardana-barbican-8.0+git.1585152761.8ef3d61/_barbican-configure.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEYMGR-API
gather_facts: True
roles:
- KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/configure.yml
- hosts: KEYMGR-WKR
roles:
- KEYMGR-WKR
tasks:
- include: roles/KEYMGR-WKR/tasks/configure.yml07070100000006000081A40000000000000000000000015E7B82F900000368000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/_barbican-install.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEYMGR-API
roles:
- role: KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/install.yml
- hosts: KEYMGR-WKR
roles:
- role: KEYMGR-WKR
tasks:
- include: roles/KEYMGR-WKR/tasks/install.yml
07070100000007000081A40000000000000000000000015E7B82F9000002EA000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/_barbican-schedule-restart.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Schedule a restart of all barbican services using ardana_notify_... variables
- hosts: all
tasks:
- include: roles/barbican-common/tasks/_schedule_restart.yml07070100000008000041ED0000000000000000000000045E7B82F900000000000000000000000000000000000000000000003500000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci07070100000009000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000003D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project0707010000000A000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000004900000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model0707010000000B000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model/data0707010000000C000081A40000000000000000000000015E7B82F900000594000000000000000000000000000000000000006000000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model/data/control_plane.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
product:
version: 2
control-planes:
- name: ccp
control-plane-prefix: ccp
region-name: region1
failure-zones:
- AZ1
- AZ2
- AZ3
common-service-components:
- lifecycle-manager-target
- openstack-client
clusters:
- name: cluster0
cluster-prefix: c0
server-role:
- SERVER1-ROLE
- SERVER2-ROLE
- SERVER3-ROLE
member-count: 3
allocation-policy: strict
service-components:
- lifecycle-manager
- ntp-server
- mysql
- ip-cluster
- rabbitmq
- keystone-client
- keystone-api
- barbican-api
- barbican-worker
0707010000000D000081A40000000000000000000000015E7B82F9000005CF000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/project/input-model/data/servers.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
product:
version: 2
baremetal:
netmask: 255.255.255.0
subnet: 192.168.110.0
server-interface: eth2
servers:
- id: server1
ip-addr: 192.168.110.3
role: SERVER1-ROLE
server-group: AZ1
mac-addr: a4:93:0c:4f:7c:73
nic-mapping: VAGRANT
ilo-ip: 192.168.109.3
ilo-password: password
ilo-user: admin
- id: server2
ip-addr: 192.168.110.4
role: SERVER2-ROLE
server-group: AZ2
mac-addr: b2:72:8d:ac:7c:6f
nic-mapping: VAGRANT
ilo-ip: 192.168.109.4
ilo-password: password
ilo-user: admin
- id: server3
ip-addr: 192.168.110.5
role: SERVER3-ROLE
server-group: AZ3
mac-addr: 8a:8e:64:55:43:76
nic-mapping: VAGRANT
ilo-ip: 192.168.109.5
ilo-password: password
ilo-user: admin
0707010000000E000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000003B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/tests0707010000000F000081A40000000000000000000000015E7B82F900000400000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/tests/test-plan.yaml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: Test reconfigure
logfile: testsuite-reconfigure.log
prefix: reconfigure
playbooks:
- barbican-reconfigure.yml
- name: Validate barbican
exec:
- validate-barbican.bash
- name: Test reboot
logfile: reboot.log
prefix: reboot
vms:
- reboot: server2
exec:
- ansible-playbook -i hosts/verb_hosts barbican-start.yml
- validate-barbican.bash
07070100000010000081ED0000000000000000000000015E7B82F900000308000000000000000000000000000000000000005200000000ardana-barbican-8.0+git.1585152761.8ef3d61/ardana-ci/tests/validate-barbican.bash#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#!/bin/bash
ansible-playbook -i hosts/verb_hosts barbican-status.yml
if [ $? -eq 0 ]
then
echo "Ok"
else
echo "Fail"
exit 1
fi
07070100000011000081A40000000000000000000000015E7B82F90000039F000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-configure-monasca.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEYMGR-API:&MON-AGN
roles:
- role: barbican-monitor
tasks:
- include: roles/barbican-monitor/tasks/local_monitor.yml
- hosts: KEYMGR-API:&MON-AGN
roles:
- role: barbican-monitor
tasks:
- include: roles/barbican-monitor/tasks/remote_monitor.yml
07070100000012000081A40000000000000000000000015E7B82F90000043A000000000000000000000000000000000000003F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-deploy.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Register necessary user, barbican roles, role assignment for api service.
- hosts: KEYMGR-API
roles:
- role: KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/keystone_conf.yml
ansible_python_interpreter:
"{{ KEY_CLI.vars.keystone_client_python_interpreter }}"
- include: _barbican-install.yml
- include: _barbican-configure.yml
- include: barbican-start.yml
- include: barbican-configure-monasca.yml
07070100000013000081A40000000000000000000000015E7B82F900000432000000000000000000000000000000000000005700000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-reconfigure-credentials-change.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _barbican-configure.yml
- hosts: KEYMGR-API
roles:
- KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/configure.yml
- hosts: KEYMGR-API
roles:
- KEYMGR-API
# This task should be set to run-once
tasks:
- include: roles/KEYMGR-API/tasks/keystone_change_pwd.yml
ansible_python_interpreter:
"{{ KEY_CLI.vars.keystone_client_python_interpreter }}"
- include: barbican-start.yml
07070100000014000081A40000000000000000000000015E7B82F9000005EB000000000000000000000000000000000000004400000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-reconfigure.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEYMGR-API
gather_facts: True
roles:
- KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/configure.yml
- hosts: KEYMGR-WKR
roles:
- KEYMGR-WKR
tasks:
- include: roles/KEYMGR-WKR/tasks/configure.yml
# Register necessary user, barbican roles, role assignment for api service.
- hosts: KEYMGR-API
roles:
- role: KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/keystone_conf.yml
ansible_python_interpreter:
"{{ KEY_CLI.vars.keystone_client_python_interpreter }}"
# Split the tasks to enable serial restart
- hosts: KEYMGR-API
serial: "50%"
roles:
- role: KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/start.yml
- hosts: KEYMGR-WKR
serial: "50%"
roles:
- role: KEYMGR-WKR
tasks:
- include: roles/KEYMGR-WKR/tasks/start.yml
- include: barbican-configure-monasca.yml
07070100000015000081A40000000000000000000000015E7B82F90000028D000000000000000000000000000000000000004000000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-restart.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _barbican-schedule-restart.yml
- include: barbican-start.yml
07070100000016000081A40000000000000000000000015E7B82F90000037C000000000000000000000000000000000000003E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-start.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEYMGR-API
serial: 1
roles:
- role: KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/start.yml
- hosts: KEYMGR-WKR
serial: 1
roles:
- role: KEYMGR-WKR
tasks:
- include: roles/KEYMGR-WKR/tasks/start.yml
07070100000017000081A40000000000000000000000015E7B82F900000310000000000000000000000000000000000000003F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-status.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEYMGR-API
max_fail_percentage: 0
roles:
- role: KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/status.yml
07070100000018000081A40000000000000000000000015E7B82F900000362000000000000000000000000000000000000003D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-stop.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: KEYMGR-API
roles:
- role: KEYMGR-API
tasks:
- include: roles/KEYMGR-API/tasks/stop.yml
- hosts: KEYMGR-WKR
roles:
- role: KEYMGR-WKR
tasks:
- include: roles/KEYMGR-WKR/tasks/stop.yml
07070100000019000081A40000000000000000000000015E7B82F900000345000000000000000000000000000000000000004000000000ardana-barbican-8.0+git.1585152761.8ef3d61/barbican-upgrade.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: barbican-status.yml
- include: barbican-stop.yml
- include: _barbican-install.yml
- include: _barbican-configure.yml
- include: barbican-start.yml
- include: barbican-status.yml
0707010000001A000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000003200000000ardana-barbican-8.0+git.1585152761.8ef3d61/config0707010000001B000081A40000000000000000000000015E7B82F9000004B2000000000000000000000000000000000000004800000000ardana-barbican-8.0+git.1585152761.8ef3d61/config/barbican-symlinks.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
symlinks:
"barbican/barbican.conf.j2": roles/KEYMGR-API/templates/barbican.conf.j2
"barbican/barbican_deploy_config.yml": roles/barbican-common/vars/barbican_deploy_config.yml
"barbican/barbican_kmip_plugin_config_sample.yml": roles/KEYMGR-API/files/samples/barbican_kmip_plugin_config_sample.yml
"barbican/barbican_pkcs11_plugin_config_sample.yml": roles/KEYMGR-API/files/samples/ardana/barbican_pkcs11_plugin_config_sample.yml
"barbican/policy.json": roles/KEYMGR-API/templates/policy.json
"barbican/README.md": roles/KEYMGR-API/README.md
0707010000001C000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000003A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/filter_plugins0707010000001D000081ED0000000000000000000000015E7B82F900000748000000000000000000000000000000000000005900000000ardana-barbican-8.0+git.1585152761.8ef3d61/filter_plugins/barbican_master_key_decrypt.py#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
import base64
import imp
import os.path
path = os.path.dirname(os.path.realpath(__file__))
ardanaencrypt = imp.load_source('ardanaencrypt', path + '/../ardanaencrypt.py')
encryption_class = 'openssl'
ardanaencrypt_class = getattr(ardanaencrypt, encryption_class)
# Method to decrypt the Customer defined encrypted key
# It will only decrypt the key with prefix @ardana@
# Customer define this key, barbican_customer_master_key, in
# roles/barbican-common/vars/barbican_deploy_config.yml
def barbican_master_key_decrypt(value, *args, **kw):
prefix = None
if value.startswith(ardanaencrypt_class.prefix):
prefix = ardanaencrypt_class.prefix
# For upgrade cases, need to support existing encrypted values which may
# have legacy prefix in-use.
elif value.startswith(ardanaencrypt_class.legacy_prefix):
prefix = ardanaencrypt_class.legacy_prefix
if prefix is None:
return value
else:
obj = ardanaencrypt_class()
return obj.decrypt(base64.urlsafe_b64decode(
value.encode('ascii', 'ignore')[len(prefix):]))
class FilterModule(object):
def filters(self):
return {'barbican_master_key_decrypt': barbican_master_key_decrypt}
0707010000001E000081A40000000000000000000000015E7B82F900000707000000000000000000000000000000000000004D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/filter_plugins/check_variables.py#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Create variable value validation filter
def is_str_set(my_var, do_define_check=True):
"""Returns True if variable is set to a non-blank value.
Input value is stripped on both end to make sure it has value.
"""
if do_define_check:
try:
my_var
except NameError:
my_var = None
if my_var is None:
return False
elif isinstance(my_var, (int, long)):
return my_var # return natural number as-is
else:
return my_var and my_var.strip() != ''
def is_bool_true(my_var, do_define_check=True):
"""Check variable value can be converted to boolean True
Case-insensitive input value of True, yes or 1 is treated as boolean True.
"""
if do_define_check:
try:
my_var
except NameError:
my_var = None
if my_var and type(my_var) == type(True):
return my_var
else:
return my_var and my_var.strip().lower() in ['yes', 'true', '1', 'on']
class FilterModule(object):
def filters(self):
return {'is_str_set': is_str_set,
'is_bool_true': is_bool_true,
}
0707010000001F000041ED0000000000000000000000065E7B82F900000000000000000000000000000000000000000000003100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles07070100000020000041ED0000000000000000000000095E7B82F900000000000000000000000000000000000000000000003C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API07070100000021000081A40000000000000000000000015E7B82F90000439E000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/README.mdREADME
======
## First Time Initial Master Key Setup
When Barbican is used with *simple_crypto_plugin* as secret store backend, its
master key needs to be defined **before initial deployment**. This backend is
used when secrets are stored in its database. If you don't specify key before
deployment, default master key is used (not recommended practice).
** Once master key is set, it must not be modified. **
** Earlier if you defined your own encrypted master key, Before you run any playbooks **
** remember that you need to export that encryption key in the following environment variable: **
** export ARDANA_USER_PASSWORD_ENCRYPT_KEY=<encryption key> **
** For more details on this, please refer to official Ardana OpenStack/Barbican documentation **
** If you are upgrading and already have the master key defined from previous version or installation, check **
** ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml **
** for *barbican_customer_master_key* value, if the value does not have a prefix "@ardana@" **
** that means it is not encrypted. It is highly recommended to encrypt this value **
* Encrypt the existing key during upgrade
* setup the environment variable ARDANA_USER_PASSWORD_ENCRYPT_KEY which contain the key
used to encrypt barbican master key.
* Note: Before you run any playbooks, remember that you need to export the encryption key in the
following environment variable. For instructions *
* export ARDANA_USER_PASSWORD_ENCRYPT_KEY=<USER_ENCRYPTION_KEY>
* execute
* python *roles/KEYMGR-API/templates/generate_kek <barbican_customer_master_key>*
* Master key is generated at stdout
* Set above master key in file ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml
* Replace existing *barbican_customer_master_key* value with above generated
master key
* Commit the change in git repository.
* *cd ~/openstack/ardana/ansible/*
* *ansible-playbook -i hosts/localhost ready-deployment.yml*
* Once master key is set, continue with cloud deployment.
** It is not recommended to change the master key during the upgrade process **
** Changing master key will result in read error for existing secrets as they were **
** encrypted using previous master key. **
* Generate master key using provided python *generate_kek* script on deployer node
* setup the environment variable ARDANA_USER_PASSWORD_ENCRYPT_KEY which contain the key
used to encrypt barbican master key.
* export ARDANA_USER_PASSWORD_ENCRYPT_KEY=<USER_ENCRYPTION_KEY>
* python *roles/KEYMGR-API/templates/generate_kek*
* Master key is generated at stdout from previous command
* Set above master key in file ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml
* Replace existing *barbican_customer_master_key* value with above generated
master key
* Commit the change in git repository.
* *cd ~/openstack/ardana/ansible/*
* *ansible-playbook -i hosts/localhost ready-deployment.yml*
* Once master key is set, continue with cloud deployment.
# Configurable Values
There are different configurable entries for Barbican.
1. Configuration entries that are available upstream in *barbican.conf*. This has upstream defined configurable values.
2. Deployment specific configuration which are not part of *barbican.conf* like
log_level, process count etc.
The following section describes the mechanism used for overriding or changing those
configuration entries.
* To change configuration entries used by Barbican API service config i.e. barbican.conf
* Edit the files *roles/KEYMGR-API/templates/barbican.conf.j2* to add or
change any config settings
* Make sure that you don't change any values under {{ }} in above mentioned file.
* To change, configurable properties which are not part of Barbican API service config
such as log level
* Edit the files *roles/barbican-common/vars/barbican_deploy_config.yml* to
change any config settings
* Here you can only change values, can't add any new settings
* For log level, replace current value with new log level e.g.
* *barbican_loglevel: "DEBUG"*
To make above changes effective, Barbican reconfigure playbook needs to be executed
which deploys the new settings on its API nodes.
* cd ~/openstack/ardana/ansible/
* ansible-playbook -i hosts/localhost ready-deployment.yml
* cd ~/scratch/ansible/next/ardana/ansible
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml*
## Tested/Supported Features
### Enable or Disable Auditing
* Auditing feature can be disabled or enabled by following steps.
* Edit the file ~/openstack/my_cloud/definition/cloudConfig.yml
* All audit related configuration is defined under `audit-settings` section.
* Please note that valid yaml syntax need to be followed when specifying values.
* Service name defined under `enabled-services` or `disabled-services` override
the default setting (i.e. `default: enabled` or `default: disabled`)
* To enable auditing, make sure that `barbican` service name is within
`enabled-services` list of `audit-settings` section or is **not** present in
`disabled-services` list when `default: enabled`.
* To disable auditing for barbican service specifically, make sure that `barbican`
service name is within `disabled-services` list of `audit-settings`
section or is **not** present in `enabled-services` list when
`default: disabled`.
* It is incorrect to specify service name in both list. If its specified, then
`enabled-services` value takes precedence.
* Commit the change in git repository.
* *cd ~/openstack/ardana/ansible/*
* *ansible-playbook -i hosts/localhost config-processor-run.yml*
* *ansible-playbook -i hosts/localhost ready-deployment.yml*
* *cd ~/scratch/ansible/next/ardana/ansible*
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml*
### Enable or Disable KMIP Plugin
* (Step 1) To populate or change clients certificate on Barbican nodes.
* For KMIP device, SSL client certificate is needed as generally HSM devices
require 2-way SSL for security reasons.
* Get needed client certificate, client private key and client root CA recognized
by HSM device.
* These certificate information is provided to Barbican service via reconfigure
playbook.
* Look into KMIP certificates sample file barbican_kmip_plugin_config_sample.yml
* Copy this file to a temporary directory e.g. /tmp/kmip_plugin_certs.yml
* Edit the file to provide either client certificates as absolute file paths (i.e.
`client_cert_file_path`, `client_key_file_path`, `client_cacert_file_path`) or
pasting certificate content directly into the file (i.e. in `client_cert_content`,
`client_key_content`, `client_cacert_content`).
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml -e@/tmp/kmip_plugin_certs.yml*
* (Step 2) To provide or update HSM connection credential for Barbican service
* In this step, KMIP plugin connection details are provided to service.
* Edit the files ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml
* Change the value `use_kmip_secretstore_plugin` to True to use KMIP
plugin or False to use default secret store plugin (`store_crypto`).
* Provide KMIP client connection credentials and KMIP server
hostname and port.
* Commit the change in git repository.
* *cd ~/openstack/ardana/ansible/*
* ansible-playbook -i hosts/localhost ready-deployment.yml
* *cd ~/scratch/ansible/next/ardana/ansible*
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml*
```
Note: If preferred, actions described in step 1 can be executed without reconfigure
playbook execution. And reconfigure playbook action can be executed at the end of
step 2 actions. This can reduce reconfigure need in initial setup.
ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml -e@/tmp/kmip_plugin_certs.yml
Individual step 1 and step 2 are needed when client certificates or HSM connection
information needs to be updated.
```
#### Troubleshooting KMIP Plugin Setup
1. Make sure that in Certificate Signing Request (CSR) 'Common Name' field must
match the *barbican_kmip_username* value defined in
*roles/barbican-common/vars/barbican_deploy_config.yml*. Otherwise you may see
*Internal Server Error* in Barbican for create secret request which does not
translate well into this issue.
2. Currently Barbican does not return clear related error with regards to client
certificate setup and its connectivity with KMIP server. During secret create
request, general *Internal Server Error* is returned when certificate is invalid
or missing any of needed client certificate data (client certificate, key and CA
root certificate).
### Enable or Disable PKCS11 Plugin
* (Step 1) Import and install the PKCS11 library debian package.
* This is a one-time setup to install pkcs11 package on barbican nodes.
* Make sure you are on deployer node
* If not present, Create the directory
/home/stack/third-party/barbican/pkgs/debian
* Populate the directory with the full set of debian packages which has
HSM specific PKCS11 library
* Run the 3rd-party import playbook:
*cd ~/openstack/ardana/ansible/
*ansible-playbook -i hosts/localhost third-party-import.yml*
*cd ~/scratch/ansible/next/ardana/ansible
*ansible-playbook -i hosts/verb_hosts osconfig-run.yml*
* This will import the above packages to the Ardana thirdparty repo,
and ready for installation, this will ensure that
/etc/apt/source.list.d entry exists for the third-party apt repo.
For example
You can import hppkcs11 (<eskm_pkcs11_package_version>.deb), which is PKCS11
library for ESKM (Enterprise Secure Key Manager) HSM
* Once the library package is imported into third party repository
you can install the library package by running barbican playbook
by passing extra ansible variable `barbican_pkcs11_package_name,
if the given package is not present on the controller nodes
it will install the latest version from the 3rd party repository, like
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_package_name=hppkcs11"*
* Or if you want to install specific version of the package, or
upgrade or downgrade from the one you have on the controller nodes,
you can pass the version info to the playbook, like
*ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_package_name=hppkcs11=0.2.1"*
* Above step would install provided package on controller node in its
default location.
* (Step 2) To provide or update HSM connection credential for Barbican service
* In this step, PKCS11 plugin connection details are provided to service.
* Edit the files ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml
* Change the value `use_pkcs11_crypto_plugin` to True to use PKCS11
plugin crypto setup. False is used to indicate other plugin setup usage.
* Provide details for PKCS11 client connection. Details needed are
* session password
* expected location for vendor specific pkcs11 shared library on
Barbican nodes. Provide absolute path on **controller** node.
* label used for master kek
* label used for hmac key
* If PKCS11 provider is ESKM, then `barbican_pkcs11_provider_is_eskm`
flag can be set to True and playbooks will use default paths for
library and its certificate location.
* Commit the change in git repository.
* *cd ~/openstack/ardana/ansible/*
* ansible-playbook -i hosts/localhost ready-deployment.yml
* *cd ~/scratch/ansible/next/ardana/ansible*
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml*
* If PKCS11 provider is ESKM, then `barbican_pkcs11_provider_is_eskm` flag can be set to True
and playbooks will use default paths for library and its certificate location
* (Step 3) *** Atalla ESKM Specific Setup Only ***
Please note that PKCS11 provider may have some custom configuration steps
and those needs to be done manually. This specific step is just provided
for ESKM PKCS11 connector.
In this step, ESKM KMIP server address is set or updated.
* For ESKM PKCS11 connector, there is connection configuration information
needed by its PKCS11 connector e.g. KMIP server address, token firmware
version and various flags needed for PKCS11 session.
* Customer is expected to provide KMIP server address.
* Barbican playbook provides following mechanism to generate related
configuration with customer provided KMIP server address. For any other
customization, customer is expected to refer ESKM PKCS11 documentation and
make those changes manually on controller nodes hosting Barbican service.
* Edit the files ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml
* Set the value for `barbican_pkcs11_eskm_kmip_host`, `barbican_pkcs11_eskm_kmip_port`
* Commit the change in git repository.
* *cd ~/openstack/ardana/ansible/*
* ansible-playbook -i hosts/localhost ready-deployment.yml
* *cd ~/scratch/ansible/next/ardana/ansible*
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_eskm_generate_conf=True"*
* (Step 4) To populate or change clients certificate on Barbican nodes.
* For PKCS11 device, SSL client certificate is needed as generally HSM devices
require 2-way SSL for security reasons.
* Get needed client certificate, client private key and client root CA recognized
by HSM device.
* These certificate information is provided to Barbican service via reconfigure
playbook.
* Look into HSM certificates sample file barbican_pkcs11_plugin_config_sample.yml
* Copy this file to a temporary directory e.g. /tmp/pkcs11_plugin_certs.yml
* Edit the file to provide either client certificates as absolute file paths (i.e.
`client_cert_file_path`, `client_key_file_path`, `client_cacert_file_path`) or
pasting certificate content directly into the file (i.e. in `client_cert_content`,
`client_key_content`, `client_cacert_content`).
* Edit the file ~/openstack/ardana/ansible/roles/barbican-common/vars/barbican_deploy_config.yml
for pkcs11 certificate locations.
* Provide expected path for client side certificates on barbican nodes.
* `barbican_pkcs11_client_cert_path` - client certificate file path
* `barbican_pkcs11_client_key_path` - Private key file path created
via CSR generation
* `barbican_pkcs11_client_cacert_path` - root CA recognized by HSM
device and used for CSR signing.
* Commit the change in git repository.
* *cd ~/openstack/ardana/ansible/*
* ansible-playbook -i hosts/localhost ready-deployment.yml
* *cd ~/scratch/ansible/next/ardana/ansible*
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml -e@/tmp/pkcs11_plugin_certs.yml*
* (Step 5) Generate labels for master kek and hmac key used for PKCS11 plugin.
This is one-time setup which generates needed mkek and hmac labels. As a
pre-requisite, Step 2, (+ Step 2b in ESKM HSM case) and Step 3 needs to be done
beforehand.
* *ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml --extra-vars "barbican_pkcs11_generate_labels=True"*
```
Note: If preferred, actions described in step 1 (except running 3rd-party import playbook), 2, 3 and 4 can be executed
together. Just make sure that all PKCS11 specific variables are configured
correctly in barbican_deploy_config.yml and single space is present between
variables defined via 'extra-vars' option
ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml \
--extra-vars "barbican_pkcs11_package_name=hppkcs11 \
barbican_pkcs11_generate_labels=True" \
-e@/tmp/pkcs11_plugin_certs.yml
For ESKM, combined step is as follows (with generate conf file option).
ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml \
--extra-vars "barbican_pkcs11_package_name=hppkcs11 \
barbican_pkcs11_eskm_generate_conf=True \
barbican_pkcs11_generate_labels=True" \
-e@/tmp/pkcs11_plugin_certs.yml
Individual step 1, step 2, step 3 or step 4 are needed when pkc11 library,
client certificates or HSM connection information needs to be updated.
```
#### Troubleshooting PKCS11 Plugin Setup
1. With ESKM device, make sure that in Certificate Signing Request (CSR)
'Common Name' field must exist in HSM as a local user. Otherwise you may see
*Internal Server Error* in Barbican for create secret request which does not
translate well into this issue.
07070100000022000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/defaults07070100000023000081A40000000000000000000000015E7B82F900000323000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/defaults/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
component_service_name: "{{ barbican_api_service_name }}"
notification_driver_name: "log"
audit_filter: ""
logging_conf_file_name: api-logging.conf
07070100000024000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files07070100000025000041ED0000000000000000000000035E7B82F900000000000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples07070100000026000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000005100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana07070100000027000081A40000000000000000000000015E7B82F900001872000000000000000000000000000000000000007A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/barbican_pkcs11_plugin_config_sample.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
barbican_pkcs11_plugin_conf:
# Either use file path to provide client certificate details or add cert
# content directly in related content variables defined below.
# File paths takes precedance over cert content if both are provided.
# Here file path refers to local filesystem path where ansible is
# executed.
client_cert_file_path:
client_key_file_path:
client_cacert_file_path:
# Following are samples which customer needs to replace with their
# own content here or via file path approach mentioned above.
client_cert_content: |
-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIBHTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE
ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w
HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDUwODIzMDYyNFoX
DTI2MDEzMTIzMDYyNFowgZYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
A1UEBwwJU3Vubnl2YWxlMQwwCgYDVQQKDANIUEUxFzAVBgNVBAsMDkNsb3VkIFNl
cnZpY2VzMR0wGwYDVQQDDBRob3M0X2JhcmJpY2FuX3BrY3MxMTEgMB4GCSqGSIb3
DQEJARYRYXJ1bi5rYW50QGhwZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCz2E6xXR+o9alGz+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirS
scx3D+ziI6UbB4rOsRfX8ib5ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv
5JAiEt7rOV4dg4bKtZbV+nQiumFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2
oYPXQCPV/jV3lGrlwXn/U1nWD2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2Fhsgk
IxKPOFE1hGOTcygk0ATdxdCUtHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKe
UGzBoBfdl7r/gA2UxdtQe0FlnXY4zDY/AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJ
YIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQDFUham8kfqkJwCGJpY
QqGd4MtOxUAj+OevNkZjEdnJd7SXQFKNwCNxw231XRuk0w6otuzOv+PniwLhy2IS
HowPaKtDmzncfwp01p5U/+E062bjEqlCN7N4dNoSjUuveoEwROI5Opo/wfLhKOuw
InUz14Le6VyJ9PdcLZmKWpnYQRytiPcNadIwt19fxja7CBJ+bX/NSdX/b1/fMeN9
8xmOn0ruoKdfD4cx/fVmMc+cV49elRKObaIaBgSQTWvjQIx8RWVPdMbQST36SlHK
3YLCDn/97rSkOUGAz7ZGJXJGACzHsM9o1cix6y8rKco+kqGvqkBAJZoIByg0ER07
CM0u
-----END CERTIFICATE-----
client_key_content: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCz2E6xXR+o9alG
z+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirSscx3D+ziI6UbB4rOsRfX8ib5
ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv5JAiEt7rOV4dg4bKtZbV+nQi
umFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2oYPXQCPV/jV3lGrlwXn/U1nW
D2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2FhsgkIxKPOFE1hGOTcygk0ATdxdCU
tHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKeUGzBoBfdl7r/gA2UxdtQe0Fl
nXY4zDY/AgMBAAECggEBAKqY2nTmiDzG4483bLQIO2lUx8ZLiDo2hXvps3NQk0LA
GSh784yzFiYM4I5kfek5tMmCCwrr9Fk07AFPms0boE49RyKbbVxvnkHhhbntnItE
6PriqGcZMYieAJdB3VG2dm96r2ckf/N0g6vZrriwuuiGABj51TlSZgaJ+PLmxE4g
pUYHFe4PFm9mvwVG++hFrCqMuyE/RZKmkvUoGElkEUDXFsYYV15+lAsd4FojO4pZ
2g7UkL8Q7g/Kr5WyRKfYdes4rdhd2/yIH3tXGTgclUqCDFDsKj4+C4x0BwV3ReCp
SzKAbxjAeoEqJFez41uYk9gsx2MDCpcqxSvgn55krxkCgYEA2PNRBkXJtkVc/igD
SOIFWKiX+0yctKBZj062RR78uXCxZ5rSpRZL1VoAs7bFZKNRsXaMhAQOH/dHBFqq
v+daZHY48pZg5t7YF3pxS2TaFAXIZ870H8qnM+JLwPqldiBiapp6dEbR0Hwky0rn
c2eOhWa8FzO/a18F7LFpxo0rBdUCgYEA1Dc8jnc2Z6tMis6g9i8UIkPSGcfKPjAE
rSxKvX9K0L3zcoXw3b4bsoiG0ROmTAZ8QVxnxjKNZPSCv4fMOpXMnGEu6/Gi7ofk
DuXhPqj2Nu3GLLBhmEOOiYz6qgU5m7Hu2D7rj/4YZQL3VK5oP2R5JUDve4zI5GXP
Kp2rXBjFMcMCgYEA0mBH/rwn2Q80GOU2IjPCmXGLR03IW8NudXAPgcGFslEcRuo0
P4/6Y15OdfbTPT6+FkduBQplpAvGmutMzqCK4AZgPKUkPFx10XaTbFfUvTvKVRez
VSzPrJlRekXTs1O9+7/m5OBTz0bC6zusaxVNeADifeFZSsYvWZHEj5wOzy0CgYBA
Ul2wcMG0ul8A05BGDg70M8pCtiO+pZ9FPd+JgEOU8X4QgDh5fV23x1nVlTcaY/zV
csShdkEVEGdw1iA4wZ6651npedwAoH+nZFXZQC0giQFAGlX6aL+TQX/YeKz1XAEg
2jFb+5A5TaTZreM7E6EEgaIUuJ9LWvBn4lJGH9vlMQKBgB9SGeF32EPSzl/M8FOF
/+5k1QKKB+a0sqYhUKYrf2cAhBk67516jPRUDQAEcuXOkuZi6wb5sHrQvWCJHzVJ
Ddzr5HHGX+PNRkt/tx+tnV74i0IAJJlhgqizuVtrOSaz3DEKH03d/4K9CJDPODpp
esf1sUXCyOs6hvJguTFB3hvI
-----END PRIVATE KEY-----
client_cacert_content: |
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE
ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w
HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDIwMjIyMjAwOVoX
DTI2MDEzMTIyMjAwOVowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMG
QXRhbGxhMRQwEgYDVQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVz
dEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0P
whdtq7KTFjD5RSeb8aOR3M4su9sO4iwXHkeXgQ3lEzDK9bdT+E5d/jhjmhmVafkL
S6hdvKlf5lTaQ3INZrLCERj1n+valARbdlloRmKAm1s8BaZatPATuEvGJz1tnMpF
y8eUO88kQMDam17HKfeAxU+G50P7NodnjFMv/6nLpKAYBi6ERHO8rdhLoYSqDahH
Tlp9xcxhFBunMMkM06w8u8htoXDfA9vW8G/EeymZj0fRVJV2E1VkdasJ7ncK20d2
9cCFy2tfJ5sZlHPy6UBGcsgzytJx/bnzniBCBCv+MZWqBTfioTZCs+ufYASh8DPG
AaCJlEgN7uY2Zv3FBNsCAwEAAaOB7DCB6TAdBgNVHQ4EFgQU8JpCrRunXm9ht2Zd
90XHLMIrY0swgbkGA1UdIwSBsTCBroAU8JpCrRunXm9ht2Zd90XHLMIrY0uhgZKk
gY8wgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH
EwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMGQXRhbGxhMRQwEgYD
VQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNv
bYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASJDJCRZcIvwr0
L0GUuTf5eR4Z1i8AUvs8j2JB7xz+DOukBL7Ty9qQr1hFnq6ArNFa3c//oBwCLzlF
eHr5Jz80u2MnR6xO/jBRI58j7jqednFEEkH8L5VGtbT4AZLqMwuJxLDHHpHZ5gef
3FzAeP3frE7ALLJH4LFuL95hJ1GlNf0S6axJyZ5jKIbOic6r57/BWD5Fjr0GTw1L
NckGzGjtiHqAZ5kmx19PzYwpV682hd5m9np6gvIfFRIwswlLwOL00qqQ7fkJnrIM
Dh9ICkgZ3SZZxxyiQ8UV/SDta2P7FVDmRdRsV4B3OI/Z5zcqgZlm+Z3F1q5WvkqU
Sc8quzS0
-----END CERTIFICATE-----
07070100000028000081A40000000000000000000000015E7B82F900000657000000000000000000000000000000000000006600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/sample_pkcs11_ca.pem-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE
ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w
HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDIwMjIyMjAwOVoX
DTI2MDEzMTIyMjAwOVowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMG
QXRhbGxhMRQwEgYDVQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVz
dEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0P
whdtq7KTFjD5RSeb8aOR3M4su9sO4iwXHkeXgQ3lEzDK9bdT+E5d/jhjmhmVafkL
S6hdvKlf5lTaQ3INZrLCERj1n+valARbdlloRmKAm1s8BaZatPATuEvGJz1tnMpF
y8eUO88kQMDam17HKfeAxU+G50P7NodnjFMv/6nLpKAYBi6ERHO8rdhLoYSqDahH
Tlp9xcxhFBunMMkM06w8u8htoXDfA9vW8G/EeymZj0fRVJV2E1VkdasJ7ncK20d2
9cCFy2tfJ5sZlHPy6UBGcsgzytJx/bnzniBCBCv+MZWqBTfioTZCs+ufYASh8DPG
AaCJlEgN7uY2Zv3FBNsCAwEAAaOB7DCB6TAdBgNVHQ4EFgQU8JpCrRunXm9ht2Zd
90XHLMIrY0swgbkGA1UdIwSBsTCBroAU8JpCrRunXm9ht2Zd90XHLMIrY0uhgZKk
gY8wgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH
EwlTdW5ueXZhbGUxDDAKBgNVBAoTA0hQRTEPMA0GA1UECxMGQXRhbGxhMRQwEgYD
VQQDEwt2dGVza20ta21pcDEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNv
bYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASJDJCRZcIvwr0
L0GUuTf5eR4Z1i8AUvs8j2JB7xz+DOukBL7Ty9qQr1hFnq6ArNFa3c//oBwCLzlF
eHr5Jz80u2MnR6xO/jBRI58j7jqednFEEkH8L5VGtbT4AZLqMwuJxLDHHpHZ5gef
3FzAeP3frE7ALLJH4LFuL95hJ1GlNf0S6axJyZ5jKIbOic6r57/BWD5Fjr0GTw1L
NckGzGjtiHqAZ5kmx19PzYwpV682hd5m9np6gvIfFRIwswlLwOL00qqQ7fkJnrIM
Dh9ICkgZ3SZZxxyiQ8UV/SDta2P7FVDmRdRsV4B3OI/Z5zcqgZlm+Z3F1q5WvkqU
Sc8quzS0
-----END CERTIFICATE-----
07070100000029000081A40000000000000000000000015E7B82F90000054F000000000000000000000000000000000000006A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/sample_pkcs11_client.pem-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIBHTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEMMAoGA1UE
ChMDSFBFMQ8wDQYDVQQLEwZBdGFsbGExFDASBgNVBAMTC3Z0ZXNrbS1rbWlwMR8w
HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTE2MDUwODIzMDYyNFoX
DTI2MDEzMTIzMDYyNFowgZYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAG
A1UEBwwJU3Vubnl2YWxlMQwwCgYDVQQKDANIUEUxFzAVBgNVBAsMDkNsb3VkIFNl
cnZpY2VzMR0wGwYDVQQDDBRob3M0X2JhcmJpY2FuX3BrY3MxMTEgMB4GCSqGSIb3
DQEJARYRYXJ1bi5rYW50QGhwZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCz2E6xXR+o9alGz+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirS
scx3D+ziI6UbB4rOsRfX8ib5ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv
5JAiEt7rOV4dg4bKtZbV+nQiumFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2
oYPXQCPV/jV3lGrlwXn/U1nWD2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2Fhsgk
IxKPOFE1hGOTcygk0ATdxdCUtHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKe
UGzBoBfdl7r/gA2UxdtQe0FlnXY4zDY/AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJ
YIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQDFUham8kfqkJwCGJpY
QqGd4MtOxUAj+OevNkZjEdnJd7SXQFKNwCNxw231XRuk0w6otuzOv+PniwLhy2IS
HowPaKtDmzncfwp01p5U/+E062bjEqlCN7N4dNoSjUuveoEwROI5Opo/wfLhKOuw
InUz14Le6VyJ9PdcLZmKWpnYQRytiPcNadIwt19fxja7CBJ+bX/NSdX/b1/fMeN9
8xmOn0ruoKdfD4cx/fVmMc+cV49elRKObaIaBgSQTWvjQIx8RWVPdMbQST36SlHK
3YLCDn/97rSkOUGAz7ZGJXJGACzHsM9o1cix6y8rKco+kqGvqkBAJZoIByg0ER07
CM0u
-----END CERTIFICATE-----
0707010000002A000081A40000000000000000000000015E7B82F9000006A8000000000000000000000000000000000000007500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/ardana/sample_pkcs11_client_privateKey.pem-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCz2E6xXR+o9alG
z+GsWh1eCs1CUQsQWOFgbSwWNDv8xNZRBVuKVirSscx3D+ziI6UbB4rOsRfX8ib5
ICQXskaMScyVOm3oQo6YDuOMAM0C3Bal2C00q8Dv5JAiEt7rOV4dg4bKtZbV+nQi
umFduecbrBQ05hYs/bY8Lfh3v6AF0zLqY4dG/zA2oYPXQCPV/jV3lGrlwXn/U1nW
D2AcIRjq+anf7V4iUdsuaybzfcVIw0GEPg2FhsgkIxKPOFE1hGOTcygk0ATdxdCU
tHuQVLkpA2neTPcEMTFitJMn0yhncOxjWiON0CKeUGzBoBfdl7r/gA2UxdtQe0Fl
nXY4zDY/AgMBAAECggEBAKqY2nTmiDzG4483bLQIO2lUx8ZLiDo2hXvps3NQk0LA
GSh784yzFiYM4I5kfek5tMmCCwrr9Fk07AFPms0boE49RyKbbVxvnkHhhbntnItE
6PriqGcZMYieAJdB3VG2dm96r2ckf/N0g6vZrriwuuiGABj51TlSZgaJ+PLmxE4g
pUYHFe4PFm9mvwVG++hFrCqMuyE/RZKmkvUoGElkEUDXFsYYV15+lAsd4FojO4pZ
2g7UkL8Q7g/Kr5WyRKfYdes4rdhd2/yIH3tXGTgclUqCDFDsKj4+C4x0BwV3ReCp
SzKAbxjAeoEqJFez41uYk9gsx2MDCpcqxSvgn55krxkCgYEA2PNRBkXJtkVc/igD
SOIFWKiX+0yctKBZj062RR78uXCxZ5rSpRZL1VoAs7bFZKNRsXaMhAQOH/dHBFqq
v+daZHY48pZg5t7YF3pxS2TaFAXIZ870H8qnM+JLwPqldiBiapp6dEbR0Hwky0rn
c2eOhWa8FzO/a18F7LFpxo0rBdUCgYEA1Dc8jnc2Z6tMis6g9i8UIkPSGcfKPjAE
rSxKvX9K0L3zcoXw3b4bsoiG0ROmTAZ8QVxnxjKNZPSCv4fMOpXMnGEu6/Gi7ofk
DuXhPqj2Nu3GLLBhmEOOiYz6qgU5m7Hu2D7rj/4YZQL3VK5oP2R5JUDve4zI5GXP
Kp2rXBjFMcMCgYEA0mBH/rwn2Q80GOU2IjPCmXGLR03IW8NudXAPgcGFslEcRuo0
P4/6Y15OdfbTPT6+FkduBQplpAvGmutMzqCK4AZgPKUkPFx10XaTbFfUvTvKVRez
VSzPrJlRekXTs1O9+7/m5OBTz0bC6zusaxVNeADifeFZSsYvWZHEj5wOzy0CgYBA
Ul2wcMG0ul8A05BGDg70M8pCtiO+pZ9FPd+JgEOU8X4QgDh5fV23x1nVlTcaY/zV
csShdkEVEGdw1iA4wZ6651npedwAoH+nZFXZQC0giQFAGlX6aL+TQX/YeKz1XAEg
2jFb+5A5TaTZreM7E6EEgaIUuJ9LWvBn4lJGH9vlMQKBgB9SGeF32EPSzl/M8FOF
/+5k1QKKB+a0sqYhUKYrf2cAhBk67516jPRUDQAEcuXOkuZi6wb5sHrQvWCJHzVJ
Ddzr5HHGX+PNRkt/tx+tnV74i0IAJJlhgqizuVtrOSaz3DEKH03d/4K9CJDPODpp
esf1sUXCyOs6hvJguTFB3hvI
-----END PRIVATE KEY-----
0707010000002B000081A40000000000000000000000015E7B82F900001886000000000000000000000000000000000000007100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/barbican_kmip_plugin_config_sample.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
barbican_kmip_plugin_conf:
# Either use file path to provide client certificate details or add cert
# content directly in related content variables defined below.
# File paths takes precedance over cert content if both are provided.
# Here file path refers to local filesystem path where ansible is
# executed.
client_cert_file_path:
client_key_file_path:
client_cacert_file_path:
# Following are samples which customer needs to replace with their
# own content here or via file path approach mentioned above.
client_cert_content: |
-----BEGIN CERTIFICATE-----
MIID0jCCArqgAwIBAgICAKQwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDTzEUMBIGA1UEBxMLRnQuIENvbGxpbnMxGDAWBgNVBAoTD0hl
d2xldHQgUGFja2FyZDEMMAoGA1UECxMDQ1RMMRYwFAYDVQQDFA1LTUlQX0xvY2Fs
X0NBMSIwIAYJKoZIhvcNAQkBFhNkYW4uYXNoYmF1Z2hAaHAuY29tMB4XDTE1MDkx
NjA3MjIyMVoXDTI0MDEyNTA3MjIyMVowgaAxCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMSMwIQYDVQQKDBpIZXdsZXR0IFBhY2th
cmQgRW50ZXJwcmlzZTESMBAGA1UECwwJSFBFIENsb3VkMRUwEwYDVQQDDAxobG1f
YmFyYmljYW4xIDAeBgkqhkiG9w0BCQEWEWFydW4ua2FudEBocGUuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjYVZzdsSMsk520UD1E94jl0/AZG
LlsAB152dEP5E9C3mXzQZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJH
R9xnhwdK3RLeRbU3dfW838++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ff
s8chvPpBH9N3nU/p5+f7bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzL
Hdaf83ZknyKREb7CETDmxBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd
7KI1MJSisLYwINLaqtpEeZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQAB
oyAwHjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDANBgkqhkiG9w0BAQsF
AAOCAQEArRJa3dypsHD7JYxvT9nlB0FzRAmLrdfMaC8UD4UxHDfBZK1QDEc6IOyA
0jpAmHTt7MoJN7f3MzX1M4Iu5tyUHNq1KWjtwHwEX7FrTm6G7ZOxhPiPim4BClFd
FLoX/jlWyjzl5tjj10+26x5IuUtC+U5JUzEBY3j/q+lAO+Og2MTiJVnWm03ilsXt
biRskNJZVtvbU71lF27Oy5rpPwhTcJ4EgRsMp7GmnlYdaT4/yRFLIBpWrtB3kooG
Gyr8ICB8HJSWpM340f/YGIeLkoXGAWyqrxykH+fMnyCs7ctjH5B24u4y5En4q3gW
L7x0qB6Zaf3IBkOZqf5bMfAQoKfxww==
-----END CERTIFICATE-----
client_key_content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArjYVZzdsSMsk520UD1E94jl0/AZGLlsAB152dEP5E9C3mXzQ
ZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJHR9xnhwdK3RLeRbU3dfW8
38++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ffs8chvPpBH9N3nU/p5+f7
bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzLHdaf83ZknyKREb7CETDm
xBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd7KI1MJSisLYwINLaqtpE
eZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQABAoIBAA2CUCKS36i9Z/0y
Li4J5LyYLAQnEGYj1Fq97n2Rj80DkFksnpRhRkfS1Pz0Gnowi/6vLFetzC+IvLHE
dXtH9j6iSVNaH2DpLHYCEMIX5niNVuGkzqKkX28nsDanGgKiGskRtEXOLdI0g6bn
AiYlsHKssom8NLKiLHGVDlvDcDEYkpA2WXXFvfUtI3Twu6o/T/Pf3ytcTPpa8yvG
K2eR+Wr6HJ6Wc7rELaNFSqcDWRqRPG8bI5bUucDOxmOZac6j5ZsrpVgnZDHO78NX
bnrHwXzS1Hm8oT6tFQTUbzjSJb7EbgS8JXdW4zWTd3zDdkq7rX2CNSGfzAz3wSl2
KkKSfqkCgYEA02MnqDmsUDkm6lYVva+WomMgyZvfOYDhca10tP5rBAXaZGP764tn
PhD5KTyvOZrgBhLbsGZZVlQEwg8EKiS9vAj/POZqIs2wdH6nAni1FTRCQ2gScty0
IgS9iIYbO31FNbfGxqNDSbLDQGpzZ8U+b12YjhhCS45e/Twvm3AeyiMCgYEA0vpg
7vMmMgvOFDtbbOKUcLu1NgViO8B7N5idf6+Y/QYlydVXtujH0Yp9VisKDew5W1vy
8sQTAibJSY+OpchTT4LSNf6dGmIAWQIJeIjlkAvMoCNqeHiw77ZlWvwXc4jydAc3
pl0cIdaupeLQo+WeSthXe1JPuOv76xVZXeC4R/MCgYBdQTENlePewFfaqX+N3xil
KvYb+xfPVnwemlcSQesUK0DdaP6KO0Wgq/w/pPXog9qw00D34S8oVoiC0/0SWoMZ
oR54z22jTPq7aeRjwrygTh2tfwwkgBk3qL+0qvT4mZsex6R5nSziJmrc0Bl5fhq9
Jp1Wkn0st/JP5W1bNWtf4QKBgEqt8e3jB5wjbZjfweby9RRKfURX94OrCHKPhQCT
iZXWvT2KVPgbwc88NE1yAqcW/N6H16FzIj9at1lghV/NXx//8KTIMZgLJJBdFjki
TBAG/TGaF6/5GLhhWdMw9KQiz5+ehmZPAww/T6bMeInrV3KqzZyLcEjGz29RKUb/
qntdAoGBANMBU9yDbQgvDSCor24DJ/gnXRPuF3W7VlnzCbu8twRK9JZJplD+jS58
98DmYxBio8+wQWQdiAPRRthtnvhSWL67oYACPwvWUJJ+D18HfpWCEgCmBU3a8ZHc
AaW8rRXtMZzuujGgAbA1hpf5z1lHuiG/X7/XMDVGiRALMyBbHV57
-----END RSA PRIVATE KEY-----
client_cacert_content: |
-----BEGIN CERTIFICATE-----
MIIEmjCCA4KgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3
bGV0dCBQYWNrYXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxf
Q0ExIjAgBgkqhkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wHhcNMTQwMTI2
MTcwOTU4WhcNMjQwMTI1MTcwOTU4WjCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3bGV0dCBQYWNr
YXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxfQ0ExIjAgBgkq
hkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDvEv7rJQRKYddVZePjqVlEJDFq4UVfV7CUXaTs/fxQcRhF
BJ2cof90EhcbSeA/YFolIJjQLwKzg53zNryCIW4TKqS5Y6nvALxI3Y3tak2Vp9Gy
PXOfn4Bz0Z2o0E1u4tXvXtuAFBGs760vC6u5KbAgy/xjeO6kpVZCK5KGH7hJ4sBC
J8b6UOir9m4lAg4K9Yia57uyJkt9LBDWhclv5DOF8LLvLjDca9eXocbDoulUhs94
QugbUB0GYEdLPtMYwZiIwvNsuIdn8NIAzW/SJ2AnnYZZqo9CHALdxJg0MCHpOKKA
u8nDcZHAUJOkKUQgNtkFq2gx0N8uCJWqzkEQIaXlAgMBAAGjgfQwgfEwHQYDVR0O
BBYEFPZqSMXT2ooyVvXZ01Fxe3OvPhafMIHBBgNVHSMEgbkwgbaAFPZqSMXT2ooy
VvXZ01Fxe3OvPhafoYGapIGXMIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08x
FDASBgNVBAcTC0Z0LiBDb2xsaW5zMRgwFgYDVQQKEw9IZXdsZXR0IFBhY2thcmQx
DDAKBgNVBAsTA0NUTDEWMBQGA1UEAxQNS01JUF9Mb2NhbF9DQTEiMCAGCSqGSIb3
DQEJARYTZGFuLmFzaGJhdWdoQGhwLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQDOqlaGPXwq186iCXeI9QN9aVW+IZUXiBFdeXYd0F6My/vq
pop7/R+4IbS3cBUo5hYkEVo6hk9IeKYCHrD7e1QbWfgCfRijhudwmCj80bQcAb+D
Mu4N4SltOrhMTOl4VSjwdZyRJHSqf4FrgXAqGCfASKOGSyOXfr9qBSn/iqmRaUYm
fFgsCh6/co2fozkRfgdsdR0MBp1FpV/dMXJqHHLSZB/P126GuYProQmbY0K1uQGU
FAimEB/a2E+A0oxwuHmhMg0kOpDuXIWn4BW+Z6z5h1j3PFyg/CZ548Fz0XOgvXC7
Ejpkd+5R+24HloruUV1R2EYvmlr8UMFX80og11u+
-----END CERTIFICATE-----
0707010000002C000081A40000000000000000000000015E7B82F900000677000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/sample_kmip_ca.crt-----BEGIN CERTIFICATE-----
MIIEmjCCA4KgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3
bGV0dCBQYWNrYXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxf
Q0ExIjAgBgkqhkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wHhcNMTQwMTI2
MTcwOTU4WhcNMjQwMTI1MTcwOTU4WjCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNPMRQwEgYDVQQHEwtGdC4gQ29sbGluczEYMBYGA1UEChMPSGV3bGV0dCBQYWNr
YXJkMQwwCgYDVQQLEwNDVEwxFjAUBgNVBAMUDUtNSVBfTG9jYWxfQ0ExIjAgBgkq
hkiG9w0BCQEWE2Rhbi5hc2hiYXVnaEBocC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDvEv7rJQRKYddVZePjqVlEJDFq4UVfV7CUXaTs/fxQcRhF
BJ2cof90EhcbSeA/YFolIJjQLwKzg53zNryCIW4TKqS5Y6nvALxI3Y3tak2Vp9Gy
PXOfn4Bz0Z2o0E1u4tXvXtuAFBGs760vC6u5KbAgy/xjeO6kpVZCK5KGH7hJ4sBC
J8b6UOir9m4lAg4K9Yia57uyJkt9LBDWhclv5DOF8LLvLjDca9eXocbDoulUhs94
QugbUB0GYEdLPtMYwZiIwvNsuIdn8NIAzW/SJ2AnnYZZqo9CHALdxJg0MCHpOKKA
u8nDcZHAUJOkKUQgNtkFq2gx0N8uCJWqzkEQIaXlAgMBAAGjgfQwgfEwHQYDVR0O
BBYEFPZqSMXT2ooyVvXZ01Fxe3OvPhafMIHBBgNVHSMEgbkwgbaAFPZqSMXT2ooy
VvXZ01Fxe3OvPhafoYGapIGXMIGUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08x
FDASBgNVBAcTC0Z0LiBDb2xsaW5zMRgwFgYDVQQKEw9IZXdsZXR0IFBhY2thcmQx
DDAKBgNVBAsTA0NUTDEWMBQGA1UEAxQNS01JUF9Mb2NhbF9DQTEiMCAGCSqGSIb3
DQEJARYTZGFuLmFzaGJhdWdoQGhwLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQDOqlaGPXwq186iCXeI9QN9aVW+IZUXiBFdeXYd0F6My/vq
pop7/R+4IbS3cBUo5hYkEVo6hk9IeKYCHrD7e1QbWfgCfRijhudwmCj80bQcAb+D
Mu4N4SltOrhMTOl4VSjwdZyRJHSqf4FrgXAqGCfASKOGSyOXfr9qBSn/iqmRaUYm
fFgsCh6/co2fozkRfgdsdR0MBp1FpV/dMXJqHHLSZB/P126GuYProQmbY0K1uQGU
FAimEB/a2E+A0oxwuHmhMg0kOpDuXIWn4BW+Z6z5h1j3PFyg/CZ548Fz0XOgvXC7
Ejpkd+5R+24HloruUV1R2EYvmlr8UMFX80og11u+
-----END CERTIFICATE-----
0707010000002D000081A40000000000000000000000015E7B82F90000056A000000000000000000000000000000000000006100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/sample_kmip_client.crt-----BEGIN CERTIFICATE-----
MIID0jCCArqgAwIBAgICAKQwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDTzEUMBIGA1UEBxMLRnQuIENvbGxpbnMxGDAWBgNVBAoTD0hl
d2xldHQgUGFja2FyZDEMMAoGA1UECxMDQ1RMMRYwFAYDVQQDFA1LTUlQX0xvY2Fs
X0NBMSIwIAYJKoZIhvcNAQkBFhNkYW4uYXNoYmF1Z2hAaHAuY29tMB4XDTE1MDkx
NjA3MjIyMVoXDTI0MDEyNTA3MjIyMVowgaAxCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJDQTESMBAGA1UEBwwJU3Vubnl2YWxlMSMwIQYDVQQKDBpIZXdsZXR0IFBhY2th
cmQgRW50ZXJwcmlzZTESMBAGA1UECwwJSFBFIENsb3VkMRUwEwYDVQQDDAxobG1f
YmFyYmljYW4xIDAeBgkqhkiG9w0BCQEWEWFydW4ua2FudEBocGUuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjYVZzdsSMsk520UD1E94jl0/AZG
LlsAB152dEP5E9C3mXzQZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJH
R9xnhwdK3RLeRbU3dfW838++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ff
s8chvPpBH9N3nU/p5+f7bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzL
Hdaf83ZknyKREb7CETDmxBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd
7KI1MJSisLYwINLaqtpEeZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQAB
oyAwHjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDANBgkqhkiG9w0BAQsF
AAOCAQEArRJa3dypsHD7JYxvT9nlB0FzRAmLrdfMaC8UD4UxHDfBZK1QDEc6IOyA
0jpAmHTt7MoJN7f3MzX1M4Iu5tyUHNq1KWjtwHwEX7FrTm6G7ZOxhPiPim4BClFd
FLoX/jlWyjzl5tjj10+26x5IuUtC+U5JUzEBY3j/q+lAO+Og2MTiJVnWm03ilsXt
biRskNJZVtvbU71lF27Oy5rpPwhTcJ4EgRsMp7GmnlYdaT4/yRFLIBpWrtB3kooG
Gyr8ICB8HJSWpM340f/YGIeLkoXGAWyqrxykH+fMnyCs7ctjH5B24u4y5En4q3gW
L7x0qB6Zaf3IBkOZqf5bMfAQoKfxww==
-----END CERTIFICATE-----0707010000002E000081A40000000000000000000000015E7B82F90000068B000000000000000000000000000000000000006100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/files/samples/sample_kmip_client.key-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArjYVZzdsSMsk520UD1E94jl0/AZGLlsAB152dEP5E9C3mXzQ
ZYvfApMh8PFc53gZwLBCb4joy1r8mZj/e7CwCUuo1cJHR9xnhwdK3RLeRbU3dfW8
38++5Kc1nW8ofLtCwQ6tD1Ye2SDWKQmfvk3ocX/o81ffs8chvPpBH9N3nU/p5+f7
bNuQBG7Uj2/JTExuqMAwWmdBZz1OCGFaJRF0DEd9WJzLHdaf83ZknyKREb7CETDm
xBRST4KLfLZYpLb9MWjmCgotoX3nTuEh9LhhLIdy1jKd7KI1MJSisLYwINLaqtpE
eZcPehCHthdd4y29ZMUmhh8MRihwfW1a4HGUOQIDAQABAoIBAA2CUCKS36i9Z/0y
Li4J5LyYLAQnEGYj1Fq97n2Rj80DkFksnpRhRkfS1Pz0Gnowi/6vLFetzC+IvLHE
dXtH9j6iSVNaH2DpLHYCEMIX5niNVuGkzqKkX28nsDanGgKiGskRtEXOLdI0g6bn
AiYlsHKssom8NLKiLHGVDlvDcDEYkpA2WXXFvfUtI3Twu6o/T/Pf3ytcTPpa8yvG
K2eR+Wr6HJ6Wc7rELaNFSqcDWRqRPG8bI5bUucDOxmOZac6j5ZsrpVgnZDHO78NX
bnrHwXzS1Hm8oT6tFQTUbzjSJb7EbgS8JXdW4zWTd3zDdkq7rX2CNSGfzAz3wSl2
KkKSfqkCgYEA02MnqDmsUDkm6lYVva+WomMgyZvfOYDhca10tP5rBAXaZGP764tn
PhD5KTyvOZrgBhLbsGZZVlQEwg8EKiS9vAj/POZqIs2wdH6nAni1FTRCQ2gScty0
IgS9iIYbO31FNbfGxqNDSbLDQGpzZ8U+b12YjhhCS45e/Twvm3AeyiMCgYEA0vpg
7vMmMgvOFDtbbOKUcLu1NgViO8B7N5idf6+Y/QYlydVXtujH0Yp9VisKDew5W1vy
8sQTAibJSY+OpchTT4LSNf6dGmIAWQIJeIjlkAvMoCNqeHiw77ZlWvwXc4jydAc3
pl0cIdaupeLQo+WeSthXe1JPuOv76xVZXeC4R/MCgYBdQTENlePewFfaqX+N3xil
KvYb+xfPVnwemlcSQesUK0DdaP6KO0Wgq/w/pPXog9qw00D34S8oVoiC0/0SWoMZ
oR54z22jTPq7aeRjwrygTh2tfwwkgBk3qL+0qvT4mZsex6R5nSziJmrc0Bl5fhq9
Jp1Wkn0st/JP5W1bNWtf4QKBgEqt8e3jB5wjbZjfweby9RRKfURX94OrCHKPhQCT
iZXWvT2KVPgbwc88NE1yAqcW/N6H16FzIj9at1lghV/NXx//8KTIMZgLJJBdFjki
TBAG/TGaF6/5GLhhWdMw9KQiz5+ehmZPAww/T6bMeInrV3KqzZyLcEjGz29RKUb/
qntdAoGBANMBU9yDbQgvDSCor24DJ/gnXRPuF3W7VlnzCbu8twRK9JZJplD+jS58
98DmYxBio8+wQWQdiAPRRthtnvhSWL67oYACPwvWUJJ+D18HfpWCEgCmBU3a8ZHc
AaW8rRXtMZzuujGgAbA1hpf5z1lHuiG/X7/XMDVGiRALMyBbHV57
-----END RSA PRIVATE KEY-----
0707010000002F000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/handlers07070100000030000081A40000000000000000000000015E7B82F900000371000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/handlers/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Handlers for Barbican
- name: restart barbican
service:
name: barbican
state: restarted
sleep: 20
# Handlers for Babrican API
- name: barbican_api_config_change
set_fact:
barbican_api_restart_required: True
07070100000031000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/meta07070100000032000081A40000000000000000000000015E7B82F9000002C3000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/meta/main.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: barbican-common
- role: FND-AP2
07070100000033000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks07070100000034000081A40000000000000000000000015E7B82F900000846000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_auditing.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | _configure_auditing | echo barbican auditing enable flag
debug:
msg: "barbican_api_audit_enable = {{ barbican_api_audit_enable }}"
tags:
- barbican
- barbican_debug
when: barbican_debug is defined
- name: KEYMGR-API | _configure_auditing |
Set notification_driver, audit_filter facts when audit enabled
set_fact:
audit_filter: "audit"
notification_driver_name: "log"
when: barbican_api_audit_enable | bool
tags:
- barbican
- name: KEYMGR-API | _configure_auditing |
Set notification_driver, audit_filter facts when audit disabled
set_fact:
audit_filter: ""
notification_driver_name: "noop"
when: barbican_api_audit_enable | bool == False
tags:
- barbican
- name: KEYMGR-API | _configure_auditing |
Create auditing logging directory if not there
file:
path: "{{ barbican_audit_log_base_location }}/barbican"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: 0755
state: directory
become: yes
when: barbican_api_audit_enable | bool
tags:
- barbican
- name: KEYMGR-API | _configure_auditing | Touch the audit log file
file:
path: "{{ item }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_centralized_log_group }}"
mode: 0640
state: touch
become: yes
with_items:
- "{{ barbican_audit_log_base_location }}/barbican/barbican-audit.log"
when: barbican_api_audit_enable | bool
tags:
- barbican
07070100000035000081A40000000000000000000000015E7B82F9000002D0000000000000000000000000000000000000006400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_deployment_options.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# We are adding here once again to enable reconfiguration of process counts
07070100000036000081A40000000000000000000000015E7B82F90000061B000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_kmip_plugin.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | _configure_kmip_plugin |
barbican use kmip plugin flag value
debug:
msg: "use_kmip_secretstore_plugin = {{ use_kmip_secretstore_plugin }}"
when: barbican_debug is defined
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin |
Configure secretstore to kmip plugin if enabled
set_fact:
barbican_secretstore_plugins: "kmip_plugin"
barbican_enabled_crypto_plugins: "simple_crypto"
when: use_kmip_secretstore_plugin
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin |
Configure secretstore to store crypto if kmip plugin not enabled
set_fact:
barbican_kmip_username:
barbican_kmip_password:
barbican_kmip_host:
barbican_kmip_port:
barbican_kmip_client_key_path:
barbican_kmip_client_cert_path:
barbican_kmip_client_cacert_path:
when: use_kmip_secretstore_plugin | bool == False
tags:
- barbican
07070100000037000081A40000000000000000000000015E7B82F900000F67000000000000000000000000000000000000006300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_kmip_plugin_certs.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Used primarily to pass kmip client cert certs from ansible control machine
# to nodes running barbican service.
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Display variables related to KMIP plugin settings
debug:
var: barbican_kmip_plugin_conf.client_cert_content
when: barbican_debug is defined
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Identify client cert content from file if set
set_fact:
kmip_client_cert_content:
"{{ lookup('file', barbican_kmip_plugin_conf.client_cert_file_path) }}"
when:
barbican_kmip_plugin_conf.client_cert_file_path is defined and
barbican_kmip_plugin_conf.client_cert_file_path and
barbican_kmip_plugin_conf.client_cert_file_path | trim != ''
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Read client cert content from variable when file content not provided
set_fact:
kmip_client_cert_content:
"{{ barbican_kmip_plugin_conf.client_cert_content }}"
when: kmip_client_cert_content is not defined
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Identify client key content from file if set
set_fact:
kmip_client_key_content:
"{{ lookup('file', barbican_kmip_plugin_conf.client_key_file_path) }}"
when:
barbican_kmip_plugin_conf.client_key_file_path is defined and
barbican_kmip_plugin_conf.client_key_file_path and
barbican_kmip_plugin_conf.client_key_file_path | trim != ''
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Read client key content from variable when file content not provided
set_fact:
kmip_client_key_content:
"{{ barbican_kmip_plugin_conf.client_key_content }}"
when: kmip_client_key_content is not defined
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Identify client cacert content from file if set
set_fact:
kmip_client_cacert_content:
"{{ lookup('file', barbican_kmip_plugin_conf.client_cacert_file_path) }}"
when:
barbican_kmip_plugin_conf.client_cacert_file_path is defined and
barbican_kmip_plugin_conf.client_cacert_file_path and
barbican_kmip_plugin_conf.client_cacert_file_path | trim != ''
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Read client cacert content from variable when file content not provided
set_fact:
kmip_client_cacert_content:
"{{ barbican_kmip_plugin_conf.client_cacert_content }}"
when: kmip_client_cacert_content is not defined
tags:
- barbican
- name: KEYMGR-API | _configure_kmip_plugin_certs |
Copy KMIP client certs file
copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: 0400
become: yes
become_user: "{{ barbican_user }}"
with_items:
- { content: "{{ kmip_client_cert_content }}",
dest: "{{ barbican_kmip_client_cert_path }}" }
- { content: "{{ kmip_client_key_content }}",
dest: "{{ barbican_kmip_client_key_path }}" }
- { content: "{{ kmip_client_cacert_content }}",
dest: "{{ barbican_kmip_client_cacert_path }}"}
no_log: True
register: ardana_notify_barbican_api_restart_required
tags:
- barbican
07070100000038000081A40000000000000000000000015E7B82F9000005FA000000000000000000000000000000000000005C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_master_key.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | _configure_master_key |
Use default master key if not yet initialized
set_fact:
barbican_simple_crypto_master_key:
"{{ barbican_default_master_key }}"
when:
barbican_secretstore_plugins ==
"store_crypto" and (barbican_simple_crypto_master_key == "None"
or not barbican_simple_crypto_master_key)
tags:
- barbican
- name: KEYMGR-API | _configure_master_key |
Set barbican_simple_crypto_master_key to None if KMIP is Configured
set_fact:
barbican_simple_crypto_master_key: "None"
when: use_kmip_secretstore_plugin
- name: KEYMGR-API | _configure_master_key | Print existing master key values
debug:
msg: "barbican_simple_crypto_master_key =
{{ barbican_simple_crypto_master_key }},
barbican_customer_master_key: {{ barbican_customer_master_key }}"
when: barbican_debug is defined
tags:
- barbican
07070100000039000081A40000000000000000000000015E7B82F900001ABA000000000000000000000000000000000000005F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_pkcs11_plugin.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | _configure_pkcs11_plugin |
barbican use pkcs11 plugin flag value
debug:
msg: "use_pkcs11_crypto_plugin = {{ use_pkcs11_crypto_plugin }}"
when: barbican_debug is defined
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Configure secretstore to pkcs11 plugin if enabled
set_fact:
barbican_secretstore_plugins: "store_crypto"
barbican_enabled_crypto_plugins: "p11_crypto"
when: use_pkcs11_crypto_plugin
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Configure pkcs11 settings to default if pkc11 plugin not enabled
set_fact:
barbican_pkcs11_session_password:
barbican_pkcs11_mkek_label:
barbican_pkcs11_hmac_label:
barbican_pkcs11_library_path:
when: use_pkcs11_crypto_plugin | bool == False
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Set library path on controller when ESKM pkcs11 connector flag is set
set_fact:
barbican_pkcs11_library_path:
"{{ barbican_pkcs11_eskm_connector_library_path }}"
when: barbican_pkcs11_provider_is_eskm | is_bool_true and
barbican_pkcs11_library_path | is_str_set == False
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Install pkcs11 debian package on controller from third party repo
apt:
name: "{{ barbican_pkcs11_package_name }}"
state: "present"
force: yes
become: yes
when: barbican_pkcs11_package_name | is_str_set
register: ardana_notify_barbican_api_restart_required
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Read stat for ESKM connector base path on controller
stat:
path: "{{ barbican_pkcs11_eskm_connector_base_path }}"
become: yes
when: barbican_pkcs11_eskm_generate_conf | is_bool_true
register: barbican_pkcs11_eskm_connector_base_path_result
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Check stat for ESKM connector base path on controller
fail:
msg: "Missing ESKM pkcs11 connector at path
'{{ barbican_pkcs11_eskm_connector_base_path }}'"
when: barbican_pkcs11_eskm_connector_base_path_result is defined and
barbican_pkcs11_eskm_connector_base_path_result.stat.exists == False
tags:
- barbican
- include: _configure_pkcs11_plugin_certs.yml
when: barbican_pkcs11_plugin_conf is defined
- name: KEYMGR-API | _configure_pkcs11_plugin |
Generate ESKM PKCS11 connector conf file
shell: >
{{ barbican_pkcs11_eskm_connector_base_path }}/bin/controlencryption
--setserver={{ barbican_pkcs11_eskm_kmip_host }}
--port={{ barbican_pkcs11_eskm_kmip_port }}
args:
chdir: "{{ barbican_pkcs11_eskm_connector_base_path }}/bin"
executable: /bin/bash
become: yes
when: barbican_pkcs11_eskm_generate_conf | is_bool_true and
barbican_pkcs11_eskm_kmip_host | is_str_set and
barbican_pkcs11_eskm_kmip_port | is_str_set
register: eskm_pkcs11_generate_conf_result
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Result for PKCS11 connector conf generation
debug:
msg: "eskm_pkcs11_generate_conf_result =
{{ eskm_pkcs11_generate_conf_result }}"
when: eskm_pkcs11_generate_conf_result is defined
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Update pkcs11 conf values in generated config.conf file
lineinfile:
dest: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/config.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.value }}"
state: "present"
become: yes
with_items:
- { regexp: "^sessionObjectCleanup=true",
value: "sessionObjectCleanup=false" }
- { regexp: "^requireSignVerify=true",
value: "requireSignVerify=false" }
when: eskm_pkcs11_generate_conf_result | success
# In generate label ignore error case when provided mkek label already exists
# to keep generation behavior idempotent
- name: KEYMGR-API | _configure_pkcs11_plugin | Generate pkcs11 mkek label
command: >
{{ barbican_bin_dir }}/barbican-manage hsm gen_mkek
--library-path {{ barbican_pkcs11_library_path }}
--passphrase {{ barbican_pkcs11_session_password }}
--slot-id {{ barbican_pkcs11_slot_id }}
--label '{{ barbican_pkcs11_mkek_label }}'
become: yes
when: barbican_pkcs11_generate_labels | is_bool_true and
barbican_pkcs11_library_path | is_str_set and
barbican_pkcs11_session_password | is_str_set and
barbican_pkcs11_mkek_label | is_str_set
register: pkcs11_generate_mkek_label_result
failed_when: (pkcs11_generate_mkek_label_result | failed and
'already exists' not in pkcs11_generate_mkek_label_result.stdout)
run_once: True
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Result for PKCS11 mkek label generation
debug:
msg: "pkcs11_generate_mkek_label_result =
{{ pkcs11_generate_mkek_label_result }}"
when: pkcs11_generate_mkek_label_result is defined
tags:
- barbican
# In generate label ignore error case when provided hmac label already exists
# to keep generation behavior idempotent
- name: KEYMGR-API | _configure_pkcs11_plugin | Generate pkcs11 hmac label
command: >
{{ barbican_bin_dir }}/barbican-manage hsm gen_hmac
--library-path {{ barbican_pkcs11_library_path }}
--passphrase {{ barbican_pkcs11_session_password }}
--slot-id {{ barbican_pkcs11_slot_id }}
--label '{{ barbican_pkcs11_hmac_label }}'
become: yes
when: barbican_pkcs11_generate_labels | is_bool_true and
barbican_pkcs11_library_path | is_str_set and
barbican_pkcs11_session_password | is_str_set and
barbican_pkcs11_hmac_label | is_str_set
register: pkcs11_generate_hmac_label_result
failed_when: (pkcs11_generate_hmac_label_result | failed and
'already exists' not in pkcs11_generate_hmac_label_result.stdout)
run_once: True
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin |
Result for PKCS11 hmac label generation
debug:
msg: "pkcs11_generate_hmac_label_result =
{{ pkcs11_generate_hmac_label_result }}"
when: pkcs11_generate_hmac_label_result is defined
tags:
- barbican
0707010000003A000081A40000000000000000000000015E7B82F9000010E3000000000000000000000000000000000000006500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_pkcs11_plugin_certs.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Used primarily to pass pkcs11 client certificates from ansible control
# machine to nodes running barbican service.
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Display variables related to PKCS11 plugin settings
debug: var=barbican_pkcs11_plugin_conf.client_cert_content
when: barbican_debug is defined
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Identify client cert content from file if set
set_fact:
pkcs11_client_cert_content:
"{{ lookup('file', barbican_pkcs11_plugin_conf.client_cert_file_path) }}"
when: barbican_pkcs11_plugin_conf.client_cert_file_path | is_str_set
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Read client cert content from variable when file content not provided
set_fact:
pkcs11_client_cert_content:
"{{ barbican_pkcs11_plugin_conf.client_cert_content }}"
when: pkcs11_client_cert_content is not defined
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Identify client key content from file if set
set_fact:
pkcs11_client_key_content:
"{{ lookup('file', barbican_pkcs11_plugin_conf.client_key_file_path) }}"
when: barbican_pkcs11_plugin_conf.client_key_file_path | is_str_set
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Read client key content from variable when file content not provided
set_fact:
pkcs11_client_key_content:
"{{ barbican_pkcs11_plugin_conf.client_key_content }}"
when: pkcs11_client_key_content is not defined
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Identify client cacert content from file if set
set_fact:
pkcs11_client_cacert_content:
"{{ lookup('file',
barbican_pkcs11_plugin_conf.client_cacert_file_path) }}"
when: barbican_pkcs11_plugin_conf.client_cacert_file_path | is_str_set
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Read client cacert content from variable when file content not provided
set_fact:
pkcs11_client_cacert_content:
"{{ barbican_pkcs11_plugin_conf.client_cacert_content }}"
when: pkcs11_client_cacert_content is not defined
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Set certs path on controller when ESKM pkcs11 connector flag is set
set_fact:
barbican_pkcs11_client_cert_path:
"{{ barbican_pkcs11_eskm_connector_client_cert_path }}"
barbican_pkcs11_client_key_path:
"{{ barbican_pkcs11_eskm_connector_client_key_path }}"
barbican_pkcs11_client_cacert_path:
"{{ barbican_pkcs11_eskm_connector_client_cacert_path }}"
when: barbican_pkcs11_provider_is_eskm | is_bool_true and
barbican_pkcs11_client_cert_path | is_str_set == False and
barbican_pkcs11_client_key_path | is_str_set == False and
barbican_pkcs11_client_cacert_path | is_str_set == False
tags:
- barbican
- name: KEYMGR-API | _configure_pkcs11_plugin_certs |
Copy PKCS11 client certs file
copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: 0400
become: yes
with_items:
- { content: "{{ pkcs11_client_cert_content }}",
dest: "{{ barbican_pkcs11_client_cert_path }}" }
- { content: "{{ pkcs11_client_key_content }}",
dest: "{{ barbican_pkcs11_client_key_path }}" }
- { content: "{{ pkcs11_client_cacert_content }}",
dest: "{{ barbican_pkcs11_client_cacert_path }}"}
no_log: True
register: ardana_notify_barbican_api_restart_required
tags:
- barbican
0707010000003B000081A40000000000000000000000015E7B82F900000348000000000000000000000000000000000000005700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_configure_vhost.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | configure | configure barbican-api vhost
become: yes
template:
src: barbican-api-modwsgi.conf.j2
dest: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.vhost"
mode: 0644
register: ardana_notify_barbican_api_restart_required
0707010000003C000081A40000000000000000000000015E7B82F900000BEE000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/_validate_plugins_conf.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | _validate_plugins_conf |
Configure to default when pkcs11 and kmip plugin is not enabled
set_fact:
barbican_secretstore_plugins: "store_crypto"
barbican_enabled_crypto_plugins: "simple_crypto"
when: use_pkcs11_crypto_plugin | bool == False and
use_kmip_secretstore_plugin | bool == False
tags:
- barbican
- name: KEYMGR-API | _validate_plugins_conf |
Fail that both pkcs11 and kmip plugins are enabled
fail:
msg: "Both pkcs11 and kmip plugin cannot be enabled at the same time"
when: use_pkcs11_crypto_plugin | bool == True and
use_kmip_secretstore_plugin | bool == True
tags:
- barbican
- name: KEYMGR-API | _validate_plugins_conf |
Fail when library path is not set for pkcs11 plugin
fail:
msg: "For pkcs11, required pkcs11 library path is not set"
when: use_pkcs11_crypto_plugin | is_bool_true and
barbican_pkcs11_library_path | is_str_set| bool == False
tags:
- barbican
- name: KEYMGR-API | _validate_plugins_conf |
Fail when needed pkcs11 generate mkek variables are not set
fail:
msg: "For pkcs11, required pkcs11 library path,
passphrase or mkek label is not set"
when: barbican_pkcs11_generate_labels | is_bool_true and (
barbican_pkcs11_library_path | is_str_set | bool == False or
barbican_pkcs11_session_password | is_str_set | bool == False or
barbican_pkcs11_mkek_label | is_str_set | bool == False)
tags:
- barbican
- name: KEYMGR-API | _validate_plugins_conf |
Fail when needed pkcs11 generate hmac variables are not set
fail:
msg: "For pkcs11, required pkcs11 library path, passphrase or mkek label
is not set"
when: barbican_pkcs11_generate_labels | is_bool_true and (
barbican_pkcs11_library_path | is_str_set | bool == False or
barbican_pkcs11_session_password | is_str_set | bool == False or
barbican_pkcs11_hmac_label | is_str_set | bool == False)
tags:
- barbican
- name: KEYMGR-API | _validate_plugins_conf |
Fail when needed ESKM pkcs11 generate conf variables are not set
fail:
msg: "For ESKM pkcs11 conf generation, required kmip host and port
is not set"
when: barbican_pkcs11_eskm_generate_conf | is_bool_true and (
barbican_pkcs11_eskm_kmip_host | is_str_set == False or
barbican_pkcs11_eskm_kmip_port | is_str_set == False)
tags:
- barbican0707010000003D000081A40000000000000000000000015E7B82F9000015F5000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/configure.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | configure | echo remote user
debug:
msg: "ansible_ssh_user = {{ ansible_ssh_user }}"
when: barbican_debug is defined
- name: KEYMGR-API | configure |
Set installed component specific directories path
include: ../../barbican-common/tasks/_set_directories.yml
vars:
install_package_result: "{{ barbican_api_install_result }}"
- name: KEYMGR-API | configure | set api config dir location
set_fact:
barbican_api_config_dir: "{{ barbican_conf_dir }}"
- name: KEYMGR-API | configure | Touch the log file
file:
path: "{{ item }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_centralized_log_group }}"
mode: 0640
state: touch
become: yes
with_items:
- "/var/log/barbican/barbican.log"
- "/var/log/barbican/barbican-json.log"
- "/var/log/barbican/barbican-api.log"
- "/var/log/barbican/barbican-access.log"
- "/var/log/barbican/barbican-monitor.log"
tags:
- barbican
# Configure and set all necessary variables used in templates.
# This way template can detect changes from existing file content
# and notify restart if changed. Do not change/set file content
# later via crudini as that will always result in changes
# and hence server restart.
- name: KEYMGR-API | configure | Includes features configuration playbook
include: configure_features.yml
- name: KEYMGR-API | configure |
Copies policy, barbican.conf, paste ini, api logging, audit map
vassal files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
become: yes
become_user: "{{ barbican_user }}"
with_items:
- { src: "policy.json",
dest: "{{ barbican_conf_dir }}/policy.json", mode: "0400"}
- { src: "barbican.conf.j2",
dest: "{{ barbican_conf_dir }}/{{ barbican_api_conf_file }}",
mode: "0600"}
- { src: "barbican-api-paste.ini.j2",
dest: "{{ barbican_conf_dir }}/barbican-api-paste.ini", mode: "0600"}
- { src: "api-logging.conf.j2",
dest: "{{ barbican_conf_dir }}/api-logging.conf", mode: "0600"}
- { src: "api_audit_map.conf.j2",
dest: "{{ barbican_conf_dir }}/api_audit_map.conf", mode: "0400"}
- { src: "vassals_barbican-api.ini.j2",
dest: "{{ barbican_conf_dir }}/vassals/barbican-api.ini", mode: "0600"}
register: ardana_notify_barbican_api_restart_required
tags:
- barbican
- name: KEYMGR-API | configure | notify api restart if changed
debug:
msg: "barbican api conf file(s) have changed so barbican-api
restart needed"
when: ardana_notify_barbican_api_restart_required.changed
- name: KEYMGR-API | configure | Create barbican WSGI directory
become: yes
file:
path: "{{ www_root }}/barbican"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: 0755
state: directory
tags:
- barbican
- name: KEYMGR-API | configure | Create symbolic link for the barbican-api startup
become: yes
file:
src: "{{ barbican_venv_dir }}/bin/barbican-wsgi-api"
dest: "{{ www_root }}/barbican/api"
owner: root
group: root
state: link
- name: KEYMGR-API | configure | Configure the barbican_api_server vhost (SUSE)
include: _configure_vhost.yml
- name: KEYMGR-API | configure | Create barbican conf symlinks
become: yes
file:
src: "{{ barbican_conf_dir }}/{{ item }}"
dest: "/etc/barbican/{{ item }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
state: link
with_items:
- "{{ barbican_api_conf_file }}"
- barbican-api-paste.ini
- api_audit_map.conf
- api-logging.conf
- policy.json
- vassals/barbican-api.ini
tags:
- barbican
- name: KEYMGR-API | configure | echo ardanauser_home
debug:
msg: "ardanauser_home = {{ ardanauser_home }}"
- name: KEYMGR-API | configure | Copy barbican client env file
template:
src: "{{ item }}"
dest: "{{ ardanauser_home }}"
owner: "{{ ardanauser }}"
group: "{{ ardanauser }}"
mode: "0600"
with_items:
- barbican.osrc
tags:
- barbican
- name: KEYMGR-API | configure | Copy barbican client env file to deployer
template:
src: "{{ item }}"
dest: "{{ ardanauser_home }}"
owner: "{{ ardanauser }}"
group: "{{ ardanauser }}"
mode: "0600"
delegate_to: localhost
with_items:
- barbican.osrc
tags:
- barbican
- name: KEYMGR-API | configure |
Create/Upgrade Barbican database via barbican-manage command script
command: >
"{{ barbican_bin_dir }}/barbican-manage"
db upgrade {{ barbican_database_connection_string }}
--version "{{ barbican_db_version }}"
run_once: True
become: yes
become_user: "{{ barbican_user }}"
tags:
- barbican
- name: KEYMGR-API | configure | Create barbican-manage command symlink
become: yes
file:
src: "{{ barbican_bin_dir }}/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
state: link
with_items:
- "barbican-manage"
tags:
- barbican
0707010000003E000081A40000000000000000000000015E7B82F900000433000000000000000000000000000000000000005900000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/configure_features.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _configure_deployment_options.yml
- include: _configure_auditing.yml
- include: _configure_kmip_plugin_certs.yml
when: barbican_kmip_plugin_conf is defined
- include: _configure_kmip_plugin.yml
# ESKM pkcs11 package is available as debian only
- include: _configure_pkcs11_plugin.yml
when: ansible_os_family | lower == 'debian'
- include: _validate_plugins_conf.yml
- include: _configure_master_key.yml
0707010000003F000081A40000000000000000000000015E7B82F900000FAD000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/install.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Some of these libraries are already in base node install. No harm in listing
# here.
# python-httplib2 is an ansible dependency for the module uri
- name: KEYMGR-API | install | Install OS specific required packages (legacy)
become: yes
package:
state: present
name: "{{ item }}"
with_items: barbican_package_dependencies
tags:
- barbican
- name: KEYMGR-API | install | Install OS specific required packages
become: yes
package:
state: present
name: "{{ item }}"
with_items:
- crudini
when: deployer_media_legacy_layout|bool == False
tags:
- barbican
- name: KEYMGR-API | install | Add group '{{ barbican_group }}'
become: yes
group:
name: "{{ barbican_group }}"
state: present
tags:
- barbican
- name: KEYMGR-API | install | Add user '{{ barbican_user }}'
become: yes
user:
name: "{{ barbican_user }}"
group: "{{ barbican_group }}"
createhome: yes
home: "{{ barbican_home_dir }}"
shell: /bin/true
state: present
tags:
- barbican
- name: KEYMGR-API | install | Update Home directory permission
become: yes
file:
path: "{{ barbican_home_dir }}"
mode: 0750
state: directory
tags:
- barbican
- name: KEYMGR-API | install | Update venv cache
become: yes
install_package:
cache: update
- name: KEYMGR-API | install | Install Barbican from barbican venv
become: yes
install_package:
name: barbican
service: "{{ barbican_api_service_name }}"
state: present
activate: act_off
register: barbican_api_install_result
notify: barbican_api_config_change
tags:
- barbican
- name: KEYMGR-API | install | Install packge result echo
debug:
msg: "barbican_api_install_result = {{ barbican_api_install_result }}"
- include: ../../barbican-common/tasks/_set_directories.yml
vars:
install_package_result: "{{ barbican_api_install_result }}"
- name: KEYMGR-API | install | Create barbican config directories only
become: yes
file:
path: "{{ item.name }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: "{{ item.mode }}"
state: "directory"
with_items:
- { name: "{{ barbican_conf_dir }}", mode: "0755" }
- { name: "{{ barbican_conf_dir }}/vassals", mode: "0755" }
- { name: "{{ barbican_conf_dir }}/ssl/certs", mode: "0755" }
tags:
- barbican
- name: KEYMGR-API | install | Create /etc/barbican directories only
become: yes
file:
path: "{{ item.name }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: "{{ item.mode }}"
state: "directory"
with_items:
- { name: /etc/barbican, mode: "u+rwx,g+rx,o+rx" }
- { name: /etc/barbican/vassals, mode: "u+rwx,g+rx,o+rx" }
- { name: /etc/barbican/ssl/certs, mode: "u+rwx,g-rx,o-rx" }
tags:
- barbican
- name: KEYMGR-API | install | print venv
debug:
msg: "Barbican venv dir = {{ barbican_venv_dir }},
bin dir = {{ barbican_bin_dir }},
conf dir = {{ barbican_conf_dir }},
share dir = {{ barbican_share_dir }}"
tags:
- barbican
- barbican_debug
when: barbican_debug is defined
- name: KEYMGR-API | install | Create logging directory
become: yes
file:
path: /var/log/barbican
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: 0755
state: directory
tags:
- barbican
07070100000040000081A40000000000000000000000015E7B82F9000007B2000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/keystone_change_pwd.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | keystone_change_pwd | Get a domain scoped token
keystone_v3:
endpoint: "{{ keystone.admin_url }}/v3"
login_username: "{{ keystone.admin_user }}"
login_password: "{{ keystone.admin_password }}"
login_user_domain_name: "{{ keystone.default_domain_name }}"
login_domain_name: "{{ keystone.default_domain_name }}"
action: "token_get"
register: domain_scoped_token_result
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_change_pwd |
Update Barbican Service User password
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
action: "reset_password_by_admin"
user_name: "{{ barbican_service_user }}"
user_password: "{{ barbican_service_password }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_change_pwd | Update Barbican Admin User password
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
action: "reset_password_by_admin"
user_name: "{{ barbican_admin_user }}"
user_password: "{{ barbican_admin_user_password }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
run_once: True
tags:
- barbican
07070100000041000081A40000000000000000000000015E7B82F900001ABC000000000000000000000000000000000000005400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/keystone_conf.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | keystone_conf | Get a domain scoped token
keystone_v3:
endpoint: "{{ keystone.admin_url }}/v3"
login_username: "{{ keystone.admin_user }}"
login_password: "{{ keystone.admin_password }}"
login_user_domain_name: "{{ keystone.default_domain_name }}"
login_domain_name: "{{ keystone.default_domain_name }}"
action: "token_get"
register: domain_scoped_token_result
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf | Create Barbican Service User
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
action: "create_user"
user_name: "{{ barbican_service_user }}"
user_password: "{{ barbican_service_password }}"
description:
"Bootstrap Account: Service User used by Barbican for token validation
(created via barbican deploy)"
user_domain_name: "{{ barbican_admin_domain_name }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf | Create Barbican Admin User
become: yes
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
action: "create_user"
user_name: "{{ barbican_admin_user }}"
user_password: "{{ barbican_admin_user_password }}"
description:
"Bootstrap Account: Barbican Service Admin user
(created via barbican deploy)"
user_domain_name: "{{ barbican_admin_domain_name }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf | Create Barbican specific roles
keystone_v3:
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
action: "create_role"
role_name: "{{ item.role_name }}"
description: "{{ item.description }}"
with_items:
- { role_name: "{{ barbican_creator_role }}",
description: "Bootstrap Role: creator role
(created via barbican deploy)" }
- { role_name: "{{ barbican_observer_role }}",
description: "Bootstrap Role: observer role
(created via barbican deploy)" }
- { role_name: "{{ barbican_auditor_role }}",
description: "Bootstrap Role: auditor role
(created via barbican deploy)" }
- { role_name: "{{ barbican_admin_role }}",
description: "Bootstrap Role: admin role
(created via barbican deploy)" }
- { role_name: "{{ barbican_service_admin_role }}",
description: "Bootstrap Role: service admin role
(created via barbican deploy)" }
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf |
Create role assignment for Barbican service user with keystone service role
in service project
become: yes
keystone_v3:
action: "grant_project_role"
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
user_name: "{{ barbican_service_user }}"
project_name: "{{ keystone.service_tenant_name }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
project_domain_name: "{{ barbican_admin_domain_name }}"
role_name: "{{ keystone_service_role }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf |
Create role assignment for Barbican admin user with Keystone admin role in
admin project
become: yes
keystone_v3:
action: "grant_project_role"
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
user_name: "{{ barbican_admin_user }}"
project_name: "{{ keystone.admin_tenant_name }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
project_domain_name: "{{ barbican_admin_domain_name }}"
role_name: "{{ keystone.admin_role }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf |
Create role assignment for Barbican admin user with Barbican admin role in
admin project
become: yes
keystone_v3:
action: "grant_project_role"
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
user_name: "{{ barbican_admin_user }}"
project_name: "{{ keystone.admin_tenant_name }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
project_domain_name: "{{ barbican_admin_domain_name }}"
role_name: "{{ barbican_admin_role }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf |
Create role assignment for Barbican admin user with Barbican service admin
role in admin project
become: yes
keystone_v3:
action: "grant_project_role"
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
user_name: "{{ barbican_admin_user }}"
project_name: "{{ keystone.admin_tenant_name }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
project_domain_name: "{{ barbican_admin_domain_name }}"
role_name: "{{ barbican_service_admin_role }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf |
Create role assignment for Keystone admin user with Barbican admin role in
admin project
become: yes
keystone_v3:
action: "grant_project_role"
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
user_name: "{{ keystone.admin_user }}"
project_name: "{{ keystone.admin_tenant_name }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
project_domain_name: "{{ barbican_admin_domain_name }}"
role_name: "{{ barbican_admin_role }}"
run_once: True
tags:
- barbican
- name: KEYMGR-API | keystone_conf |
Create role assignment for Keystone admin user with Barbican service admin
role in admin project
become: yes
keystone_v3:
action: "grant_project_role"
login_token: "{{ domain_scoped_token_result.result }}"
endpoint: "{{ keystone.admin_url }}/v3"
user_name: "{{ keystone.admin_user }}"
project_name: "{{ keystone.admin_tenant_name }}"
user_domain_name: "{{ barbican_admin_domain_name }}"
project_domain_name: "{{ barbican_admin_domain_name }}"
role_name: "{{ barbican_service_admin_role }}"
run_once: True
tags:
- barbican
07070100000042000081A40000000000000000000000015E7B82F9000007DD000000000000000000000000000000000000004C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/start.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Restart or start Barbican API
- name: KEYMGR-API | start | Activate the latest install
install_package:
name: barbican
service: "{{ barbican_api_service_name }}"
activate: act_on
version: "{{ barbican_api_install_result.version }}"
become: yes
when: barbican_api_install_result is defined
register: barbican_api_activate_result
tags:
- barbican
- name: KEYMGR-API | start | Activate barbican packge result echo
debug:
msg: "barbican_api_activate_result = {{ barbican_api_activate_result }}"
when: barbican_api_activate_result is defined
- name: KEYMGR-API | start | Enable barbican_api_server vhost (apache)
file:
src: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.vhost"
dest: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.conf"
state: link
become: yes
register: barbican_api_a2_enable_vhost_result
- name: KEYMGR-API | start | Restart or start Barbican API (apache)
include: "{{ playbook_dir }}/roles/FND-AP2/tasks/start_reload.yml"
vars:
apache_reload_requested: "{{
barbican_api_a2_enable_vhost_result is defined and
barbican_api_a2_enable_vhost_result.changed }}"
apache_restart_requested: "{{ (
ardana_notify_barbican_api_restart_required is defined and
ardana_notify_barbican_api_restart_required.changed
) or barbican_api_restart_required }}"
07070100000043000081A40000000000000000000000015E7B82F9000005A0000000000000000000000000000000000000004D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/status.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | status | Add some delay
pause:
seconds: 3
- name: KEYMGR-API | status | Register barbican status
uri:
url: "http://{{ barbican_api_network_address }}:{{ barbican_api_port }}"
status_code: 300
timeout: 600
register: barbican_status_result
failed_when: False
tags:
- barbican
- name: KEYMGR-API | status | Check status
debug:
msg: "Barbican Status is {{ barbican_status_result }}"
when: barbican_status_result
- name: KEYMGR-API | status | Register local barbican status
uri:
url: "http://127.0.0.1:{{ barbican_api_port }}"
status_code: 300
timeout: 600
register: barbican_status_result
when: barbican_status_result.status is not defined
or barbican_status_result.status != 300
tags:
- barbican
07070100000044000081A40000000000000000000000015E7B82F9000003C2000000000000000000000000000000000000004B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/tasks/stop.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-API | stop | Disable Barbican API vhost (apache)
file:
state: absent
path: "{{ apache2_vhost_dir }}/barbican-api-modwsgi.conf"
become: yes
- name: KEYMGR-API | stop | Reload apache so that Barbican API is stopped (apache)
service:
name: apache2
state: reloaded
become: yes
07070100000045000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates07070100000046000081A40000000000000000000000015E7B82F900000A3B000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/api-logging.conf.j2{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
[loggers]
keys: root, iso8601{%- if barbican_api_audit_enable|bool %}, audit{% endif %}
[handlers]
keys: watchedfile, logstash{%- if barbican_api_audit_enable|bool %}, auditfile{% endif %}
[formatters]
keys: debug,minimal, normal, logstash
###########
# Loggers #
###########
[logger_root]
qualname: root
handlers: watchedfile, logstash
level: NOTSET
[logger_iso8601]
qualname: iso8601
handlers: watchedfile, logstash
level: INFO
{%- if barbican_api_audit_enable|bool %}
[logger_audit]
qualname: oslo.messaging.notification.audit
handlers: auditfile
propagate: 0
level: INFO
{% endif %}
################
# Log Handlers #
################
# Writes to disk
[handler_watchedfile]
class: handlers.WatchedFileHandler
args: ('/var/log/barbican/barbican.log',)
formatter = debug
level: {{ barbican_loglevel }}
# Writes JSON to disk, beaver will ship to logstash
[handler_logstash]
class: handlers.WatchedFileHandler
args: ('/var/log/barbican/barbican-json.log',)
formatter= logstash
level: {{ barbican_logstash_loglevel }}
{%- if barbican_api_audit_enable|bool %}
[handler_auditfile]
class: handlers.WatchedFileHandler
args: ('{{ barbican_audit_log_base_location }}/barbican/barbican-audit.log',)
formatter = minimal
level: INFO
{% endif %}
##################
# Log Formatters #
##################
[formatter_minimal]
format=%(message)s
[formatter_normal]
format=(%(name)s): %(asctime)s %(levelname)s %(message)s
[formatter_debug]
format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s
# datefmt must be set otherwise you end up with too many (msecs) fields
[formatter_context]
class: oslo_log.formatters.ContextFormatter
args: (datefmt=datefmt)
format: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s
datefmt: %Y-%m-%d %H:%M:%S
# the "format" attr actually sets the "type"
[formatter_logstash]
class = logstash.LogstashFormatterVersion1
format = barbican
07070100000047000081A40000000000000000000000015E7B82F900000473000000000000000000000000000000000000005C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/api_audit_map.conf.j2{#
#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
[DEFAULT]
# default target endpoint type
# should match the endpoint type defined in service catalog
target_endpoint_type = key-manager
# map urls ending with specific text to a unique action
[custom_actions]
secrets/get = read/list
acl/get = read
# possible end path of api requests
[path_keywords]
#defaults = None
secrets=
containers=
orders=
#cas=None
quotas=
# map endpoint type defined in service catalog to CADF typeURI
[service_endpoints]
key-manager = service/security/keymanager
07070100000048000081A40000000000000000000000015E7B82F90000047D000000000000000000000000000000000000006300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican-api-modwsgi.conf.j2{#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
Listen {{ barbican_api_network_address }}:{{ barbican_api_port }}
<VirtualHost {{ barbican_api_network_address }}:{{ barbican_api_port }}>
WSGIDaemonProcess barbican-api user={{ barbican_user }} group={{ barbican_group }} processes=3 threads=4 python-path={{ barbican_venv_dir }}:{{barbican_venv_dir }}/lib/python2.7/site-packages/ display-name=barbican-api
WSGIScriptAlias / {{ www_root }}/barbican/api
WSGIProcessGroup barbican-api
ErrorLog /var/log/barbican/barbican-api.log
CustomLog /var/log/barbican/barbican-api.log combined
</VirtualHost>
07070100000049000081A40000000000000000000000015E7B82F900000A9A000000000000000000000000000000000000006000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican-api-paste.ini.j2{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
[composite:main]
use = egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone
# Use this pipeline for Barbican API - versions no authentication
[pipeline:barbican_version]
pipeline = cors http_proxy_to_wsgi versionapp
# Use this pipeline for Barbican API - DEFAULT no authentication
[pipeline:barbican_api]
pipeline = cors http_proxy_to_wsgi unauthenticated-context apiapp
#Use this pipeline to activate a repoze.profile middleware and HTTP port,
# to provide profiling information for the REST API processing.
[pipeline:barbican-profile]
pipeline = cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
#Use this pipeline for keystone auth
[pipeline:barbican-api-keystone]
pipeline = cors http_proxy_to_wsgi authtoken context {{ audit_filter }} apiapp
#Use this pipeline for keystone auth with audit feature
[pipeline:barbican-api-keystone-audit]
pipeline = http_proxy_to_wsgi authtoken context audit apiapp
[app:apiapp]
paste.app_factory = barbican.api.app:create_main_app
[app:versionapp]
paste.app_factory = barbican.api.app:create_version_app
[filter:simple]
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
[filter:unauthenticated-context]
paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
[filter:context]
paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
[filter:audit]
paste.filter_factory = keystonemiddleware.audit:filter_factory
audit_map_file = {{ barbican_conf_dir }}/api_audit_map.conf
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
[filter:profile]
use = egg:repoze.profile
log_filename = myapp.profile
cachegrind_filename = cachegrind.out.myapp
discard_first_request = true
path = /__profile__
flush_at_shutdown = true
unwind = false
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = barbican
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
0707010000004A000081A40000000000000000000000015E7B82F900003B02000000000000000000000000000000000000005700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican.conf.j2{#
#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
# Please don't change any values under curly braces
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
#verbose = True
# Show debugging output in logs (sets DEBUG log level output)
#debug = True
# Address to bind the API server
#bind_host = {{ barbican_api_network_address }}
# Port to bind the API server to
#bind_port = {{ barbican_api_port }}
# Host name, for use in HATEOS-style references
# Note: Typically this would be the load balanced endpoint that clients would use
# communicate back with this service.
# host_href = {{ barbican_internal_endpoint }}
host_href =
# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
#log_file = /var/log/barbican/api.log
log_config_append = "{{ barbican_conf_dir }}/{{ logging_conf_file_name }}"
# Backlog requests when creating socket
backlog = 4096
# TCP_KEEPIDLE value in seconds when creating socket.
# Not supported on OS X.
#tcp_keepidle = 600
# Maximum allowed http request size against the barbican-api
max_allowed_secret_in_bytes = 10000
max_allowed_request_size_in_bytes = 1000000
# SQLAlchemy connection string for the reference implementation
# registry server. Any valid SQLAlchemy connection string is fine.
# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
# Uncomment this for local dev, putting db in project directory:
#sql_connection = sqlite:///barbican.sqlite
# Note: For absolute addresses, use '////' slashes after 'sqlite:'
# Uncomment for a more global development environment
sql_connection = {{ barbican_database_connection_string }}
# Don't auto create/upgrade database as part of server startup
db_auto_create = False
# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
#
# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
# idle connections. This can result in 'MySQL Gone Away' exceptions. If you
# notice this, you can lower this value to ensure that SQLAlchemy reconnects
# before MySQL can drop the connection.
sql_idle_timeout = 3600
# Accepts a class imported from the sqlalchemy.pool module, and handles the
# details of building the pool for you. If commented out, SQLAlchemy
# will select based on the database dialect. Other options are QueuePool
# (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy
# management of connections).
# See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details.
sql_pool_class = QueuePool
sql_retry_interval=1
sql_max_retries=60
# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level
# output) if specified.
#sql_pool_logging = True
# Size of pool used by SQLAlchemy. This is the largest number of connections
# that will be kept persistently in the pool. Can be set to 0 to indicate no
# size limit. To disable pooling, use a NullPool with sql_pool_class instead.
# Comment out to allow SQLAlchemy to select the default.
sql_pool_size = 5
# The maximum overflow size of the pool used by SQLAlchemy. When the number of
# checked-out connections reaches the size set in sql_pool_size, additional
# connections will be returned up to this limit. It follows then that the
# total number of simultaneous connections the pool will allow is
# sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no
# overflow limit, so no limit will be placed on the total number of concurrent
# connections. Comment out to allow SQLAlchemy to select the default.
sql_pool_max_overflow = 10
# Default page size for the 'limit' paging URL parameter.
default_limit_paging = 10
# Maximum page size for the 'limit' paging URL parameter.
max_limit_paging = 100
# Role used to identify an authenticated user as administrator
#admin_role = admin
# Allow unauthenticated users to access the API with read-only
# privileges. This only applies when using ContextMiddleware.
#allow_anonymous_access = False
# Allow access to version 1 of barbican api
#enable_v1_api = True
# Allow access to version 2 of barbican api
#enable_v2_api = True
# ================= SSL Options ===============================
# Certificate file to use when starting API server securely
#cert_file = {{ barbican_api_ssl_client_key }}
# Private key file to use when starting API server securely
#key_file = {{ barbican_api_ssl_client_cert }}
# CA certificate file to use to verify connecting clients
#ca_file = {{ barbican_api_ssl_ca_cert }}
# ================= Security Options ==========================
# AES key for encrypting store 'location' metadata, including
# -- if used -- Swift or S3 credentials
# Should be set to a random string of length 16, 24 or 32 bytes
#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
# For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset':
# For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/
transport_url = {{ barbican_transport_url }}
# oslo notification driver for sending audit events via audit middleware.
# Meaningful only when middleware is enabled in barbican paste ini file.
# This is oslo config MultiStrOpt so can be defined multiple times in case
# there is need to route audit event to messaging as well as log.
# notification_driver = messagingv2
# notification_driver = log
notification_driver = {{ notification_driver_name }}
# ================= Queue Options - oslo.messaging ==========================
[oslo_messaging_rabbit]
# Rabbit and HA configuration:
#ampq_durable_queues = True
ssl = {{ barbican_rabbit_use_ssl }}
[keystone_authtoken]
auth_type = password
auth_url = {{ keystone.identity_url }}
username = {{ barbican_service_user }}
password = {{ barbican_service_password }}
user_domain_name = {{ keystone.default_domain_name }}
project_name = {{ keystone.service_tenant_name }}
project_domain_name = {{ keystone.default_domain_name }}
cafile = {{ keystone.ca_file }}
service_token_roles_required = true
service_token_roles = admin
memcached_servers = {{ memcached_servers }}
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
memcache_pool_socket_timeout = 1
# ======== OpenStack policy - oslo_policy ===============
[oslo_policy]
# ======== OpenStack policy integration
# JSON file representing policy (string value)
policy_file=/etc/barbican/policy.json
# Rule checked when requested rule is not found (string value)
policy_default_rule=default
# ================= Queue Options - Application ==========================
[queue]
# Enable queuing asynchronous messaging.
# Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode)
enable = False
# Namespace for the queue
namespace = 'barbican'
# Topic for the queue
topic = 'barbican.workers'
# Version for the task API
version = '1.1'
# Server name for RPC service
server_name = 'barbican.queue'
# Number of asynchronous worker processes.
# When greater than 1, then that many additional worker processes are
# created for asynchronous worker functionality.
asynchronous_workers = 1
# ================= Retry/Scheduler Options ==========================
[retry_scheduler]
# Seconds (float) to wait between starting retry scheduler
initial_delay_seconds = 10.0
# Seconds (float) to wait between starting retry scheduler
periodic_interval_max_seconds = 10.0
# ====================== Quota Options ===============================
[quotas]
# For each resource, the default maximum number that can be used for
# a project is set below. This value can be overridden for each
# project through the API. A negative value means no limit. A zero
# value effectively disables the resource.
# default number of secrets allowed per project
quota_secrets = -1
# default number of orders allowed per project
quota_orders = -1
# default number of containers allowed per project
quota_containers = -1
# default number of consumers allowed per project
quota_consumers = -1
# default number of CAs allowed per project
quota_cas = -1
# ================= Keystone Notification Options - Application ===============
[keystone_notifications]
# Keystone notification functionality uses transport related configuration
# from barbican common configuration as defined under
# 'Queue Options - oslo.messaging' comments.
# The HA related configuration is also shared with notification server.
# True enables keystone notification listener functionality.
enable = False
# The default exchange under which topics are scoped.
# May be overridden by an exchange name specified in the transport_url option.
control_exchange = 'openstack'
# Keystone notification queue topic name.
# This name needs to match one of values mentioned in Keystone deployment's
# 'notification_topics' configuration e.g.
# notification_topics=notifications, barbican_notifications
# Multiple servers may listen on a topic and messages will be dispatched to one
# of the servers in a round-robin fashion. That's why Barbican service should
# have its own dedicated notification queue so that it receives all of Keystone
# notifications.
topic = 'notifications'
# True enables requeue feature in case of notification processing error.
# Enable this only when underlying transport supports this feature.
allow_requeue = False
# Version of tasks invoked via notifications
version = '1.0'
# Define the number of max threads to be used for notification server
# processing functionality.
thread_pool_size = 10
# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = {{ barbican_secretstore_plugins }}
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = {{ barbican_enabled_crypto_plugins }}
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = "{{ barbican_simple_crypto_master_key | barbican_master_key_decrypt }}"
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'
ca_expiration_time = 1
plugin_working_dir = '/etc/barbican/dogtag'
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = "{{ barbican_pkcs11_library_path }}"
# Password to login to PKCS11 session
login = "{{ barbican_pkcs11_session_password }}"
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = "{{ barbican_pkcs11_mkek_label }}"
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = "{{ barbican_pkcs11_hmac_label }}"
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = {{ barbican_pkcs11_slot_id }}
# Enable Read/Write session with the HSM?
# rw_session = True
# Length of Project KEKs to create
# pkek_length = 32
# How long to cache unwrapped Project KEKs
pkek_cache_ttl = {{ barbican_pkcs11_project_kek_cache_ttl_secs }}
# Max number of items in pkek cache
pkek_cache_limit = {{ barbican_pkcs11_project_kek_cache_size }}
# Disable in case plugin iv generation is not needed e.g. for FIPS enabled HSM
generate_iv = True
# ================== KMIP plugin =====================
[kmip_plugin]
username = {{ barbican_kmip_username }}
password = {{ barbican_kmip_password }}
host = {{ barbican_kmip_host }}
port = {{ barbican_kmip_port }}
keyfile = {{ barbican_kmip_client_key_path }}
certfile = {{ barbican_kmip_client_cert_path }}
ca_certs = {{ barbican_kmip_client_cacert_path }}
# ================= Certificate plugin ===================
[certificate]
namespace = barbican.certificate.plugin
enabled_certificate_plugins = simple_certificate
enabled_certificate_plugins = snakeoil_ca
[certificate_event]
namespace = barbican.certificate.event.plugin
enabled_certificate_event_plugins = simple_certificate_event
[snakeoil_ca_plugin]
ca_cert_path = /etc/barbican/snakeoil-ca.crt
ca_cert_key_path = /etc/barbican/snakeoil-ca.key
ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain
ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b
subca_cert_key_directory=/etc/barbican/snakeoil-cas
[cors]
#
# From oslo.middleware.cors
#
# Indicate whether this resource may be shared with the domain
# received in the requests "origin" header. (list value)
#allowed_origin = <None>
# Indicate that the actual request can include user credentials
# (boolean value)
#allow_credentials = true
# Indicate which headers are safe to expose to the API. Defaults to
# HTTP Simple Headers. (list value)
#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
# Indicate which methods can be used during the actual request. (list
# value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
# Indicate which header field names may be used during the actual
# request. (list value)
#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
[cors.subdomain]
#
# From oslo.middleware.cors
#
# Indicate whether this resource may be shared with the domain
# received in the requests "origin" header. (list value)
#allowed_origin = <None>
# Indicate that the actual request can include user credentials
# (boolean value)
#allow_credentials = true
# Indicate which headers are safe to expose to the API. Defaults to
# HTTP Simple Headers. (list value)
#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
# Indicate which methods can be used during the actual request. (list
# value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
# Indicate which header field names may be used during the actual
# request. (list value)
#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
0707010000004B000081A40000000000000000000000015E7B82F900000647000000000000000000000000000000000000005400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican.osrc{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
# Environment variables for Barbican client API.
#export OS_URL={{ keystone.admin_url }}/v3
unset OS_DOMAIN_NAME
unset OS_PROJECT_NAME
unset OS_PROJECT_DOMAIN_NAME
export OS_PROJECT_NAME={{ keystone.admin_tenant_name }}
# Either Project ID or Project Name is required
#export OS_PROJECT_DOMAIN_ID=
export OS_PROJECT_DOMAIN_NAME={{barbican_admin_domain_name}}
# Either Domain User ID or Domain User Name is required
#export OS_USER_DOMAIN_ID=
export OS_USER_DOMAIN_NAME={{barbican_admin_domain_name}}
# Either User ID or Username can be used
#export OS_USER_ID =
export OS_USERNAME={{ barbican_admin_user }}
export OS_PASSWORD={{ barbican_admin_user_password }}
export OS_ENDPOINT_TYPE=internalURL
# OS_AUTH_URL should be your location of Keystone
# Barbican Client defaults to Keystone V3
export OS_AUTH_URL="{{ keystone.auth_url }}/v3"
export BARBICAN_INTERFACE=internal
export OS_IDENTITY_API_VERSION=3
export OS_CACERT={{ trusted_ca_bundle }}
0707010000004C000081A40000000000000000000000015E7B82F9000001EB000000000000000000000000000000000000006000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/barbican_api_server_start#!/usr/bin/env python
from paste import deploy
from paste import httpserver
def run():
#prop_dir = "{{ barbican_conf_dir }}"
prop_dir = "/etc/barbican"
application = deploy.loadapp(
'config:{prop_dir}/barbican-api-paste.ini'.format(prop_dir=prop_dir),
name='main')
httpserver.serve(application, host="{{ barbican_api_network_address }}",
port='{{ barbican_api_port }}', daemon_threads=True)
if __name__ == '__main__':
run()
0707010000004D000081A40000000000000000000000015E7B82F900000612000000000000000000000000000000000000005300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/generate_kek#!/usr/bin/env python
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
import base64
import os
import os.path
import imp
import sys
path = os.path.dirname(os.path.realpath(__file__))
ardanaencrypt = imp.load_source('ardanaencrypt', path + '/../../../ardanaencrypt.py')
encryption_class = 'openssl'
ardanaencrypt_class = getattr(ardanaencrypt, encryption_class)
def generate_key(num_bytes=32, oldKey=None):
value = base64.urlsafe_b64encode(os.urandom(num_bytes))
if(len(sys.argv) > 1):
value = sys.argv[1]
# Make sure input value is not encrypted already
if (value.startswith(ardanaencrypt_class.prefix) or
value.startswith(ardanaencrypt_class.legacy_prefix)):
return value
obj = ardanaencrypt_class()
# More base64 encoding to avoid any new line or special chars
result = obj.prefix + base64.urlsafe_b64encode(obj.encrypt(value))
return result
if __name__ == '__main__':
print generate_key()
0707010000004E000081A40000000000000000000000015E7B82F900001A3E000000000000000000000000000000000000005200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/policy.json{#
#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
{
"admin": "role:{{ barbican_admin_role }}",
"observer": "role:{{ barbican_observer_role }}",
"creator": "role:{{ barbican_creator_role }}",
"audit": "role:{{ barbican_auditor_role }}",
"service_admin": "role:{{ barbican_service_admin_role }}",
"admin_or_user_does_not_work": "project_id:%(project_id)s",
"admin_or_user": "rule:admin or project_id:%(project_id)s",
"admin_or_creator": "rule:admin or rule:creator",
"all_but_audit": "rule:admin or rule:observer or rule:creator",
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
"secret_project_match": "project:%(target.secret.project_id)s",
"secret_acl_read": "'read':%(target.secret.read)s",
"secret_private_read": "'False':%(target.secret.read_project_access)s",
"secret_creator_user": "user:%(target.secret.creator_id)s",
"container_project_match": "project:%(target.container.project_id)s",
"container_acl_read": "'read':%(target.container.read)s",
"container_private_read": "'False':%(target.container.read_project_access)s",
"container_creator_user": "user:%(target.container.creator_id)s",
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
"secret_project_admin": "rule:admin and rule:secret_project_match",
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
"container_project_admin": "rule:admin and rule:container_project_match",
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
"version:get": "@",
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
"secret:put": "rule:admin_or_creator and rule:secret_project_match",
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
"secrets:post": "rule:admin_or_creator",
"secrets:get": "rule:all_but_audit",
"orders:post": "rule:admin_or_creator",
"orders:get": "rule:all_but_audit",
"order:get": "rule:all_users",
"order:put": "rule:admin_or_creator",
"order:delete": "rule:admin",
"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"containers:post": "rule:admin_or_creator",
"containers:get": "rule:all_but_audit",
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"container:delete": "rule:container_project_admin or rule:container_project_creator",
"container_secret:post": "rule:admin",
"container_secret:delete": "rule:admin",
"transport_key:get": "rule:all_users",
"transport_key:delete": "rule:admin",
"transport_keys:get": "rule:all_users",
"transport_keys:post": "rule:admin",
"certificate_authorities:get_limited": "rule:all_users",
"certificate_authorities:get_all": "rule:admin",
"certificate_authorities:post": "rule:admin",
"certificate_authorities:get_preferred_ca": "rule:all_users",
"certificate_authorities:get_global_preferred_ca": "rule:service_admin",
"certificate_authorities:unset_global_preferred": "rule:service_admin",
"certificate_authority:delete": "rule:admin",
"certificate_authority:get": "rule:all_users",
"certificate_authority:get_cacert": "rule:all_users",
"certificate_authority:get_ca_cert_chain": "rule:all_users",
"certificate_authority:get_projects": "rule:service_admin",
"certificate_authority:add_to_project": "rule:admin",
"certificate_authority:remove_from_project": "rule:admin",
"certificate_authority:set_preferred": "rule:admin",
"certificate_authority:set_global_preferred": "rule:service_admin",
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
"secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
"container_acls:get": "rule:all_but_audit and rule:container_project_match",
"quotas:get": "rule:all_users",
"project_quotas:get": "rule:service_admin",
"project_quotas:put": "rule:service_admin",
"project_quotas:delete": "rule:service_admin",
"secret_meta:get": "rule:all_but_audit",
"secret_meta:post": "rule:admin_or_creator",
"secret_meta:put": "rule:admin_or_creator",
"secret_meta:delete": "rule:admin_or_creator",
"secretstores:get": "rule:admin",
"secretstores:get_global_default": "rule:admin",
"secretstores:get_preferred": "rule:admin",
"secretstore_preferred:post": "rule:admin",
"secretstore_preferred:delete": "rule:admin",
"secretstore:get": "rule:admin"
}
0707010000004F000081A40000000000000000000000015E7B82F900000929000000000000000000000000000000000000006200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/templates/vassals_barbican-api.ini.j2{#
#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
[uwsgi]
socket = {{ barbican_api_network_address }}:{{ barbican_api_port }}
protocol = http
cheaper-algo = spare
cheaper = {{ barbican_api_min_worker_count }}
cheaper-initial = {{ barbican_api_initial_worker_count }}
# windows in seconds. spawns new workers if all workers are busy during this window.
# uwsgi own default is 3. Increasing to 10.
cheaper-overload = 10
workers = {{ barbican_api_max_worker_count }}
threads = {{ barbican_api_threads_count }}
# lazy-apps = true will load application after fork
# lazy-apps = false , fork after loading application to share memory across workers
lazy-apps = false
# try to remove all of generated file/sockets
vacuum = true
#ignore-sigpipe = true
no-default-app = true
memory-report = true
# kill the process instead of reloading when SIGTERM is sent.
die-on-term = true
#the maximum time (in seconds) we wait for workers and other processes to die during reload/shutdown
reload-mercy=5
worker-reload-mercy=5
# disable-logging = true
# send stdout/stderr to the log engine too
pty-log = true
#logger = errorlog syslog
logger = monitorlog file:/var/log/barbican/barbican-monitor.log
logger = file:/var/log/barbican/barbican-access.log
log-route = monitorlog (GET / HTTP/1.\d)
#log-route = errorlog HTTP/1.0" 500
#logto=/var/log/barbican/barbican-access.log
log-format = %(host) - [%(ltime)] "%(method) %(uri) %(proto)" %(status) %(size) "%(referer)" "%(uagent)" "%(micros) micros" "rss: %(rssM) MB" "pid: %(pid)"
procname-prefix-spaced = barbican-api
#plugins = python
venv = {{ barbican_venv_dir }}
paste = config:{{ barbican_conf_dir }}/barbican-api-paste.ini
#paste-logger={{ barbican_conf_dir }}/api-logging.conf
#add-header = Connection: close
07070100000050000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/vars07070100000051000081A40000000000000000000000015E7B82F9000002D6000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-API/vars/main.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
ardanauser : "{{ ansible_env['USER'] }}"
ardanauser_home: "{{ ansible_env['HOME'] }}"
07070100000052000041ED0000000000000000000000085E7B82F900000000000000000000000000000000000000000000003C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR07070100000053000081A40000000000000000000000015E7B82F9000000F8000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/README.mdREADME
======
There are different configurable entries for Barbican Worker
1. Configuration entries that go into barbican-worker.conf
2. Deployment specific configuration which are not part of barbican-worker.conf like log_level, process count etc07070100000054000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/defaults07070100000055000081A40000000000000000000000015E7B82F9000002F8000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/defaults/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
component_service_name: "{{ barbican_worker_service_name }}"
logging_conf_file_name: worker-logging.conf
07070100000056000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/handlers07070100000057000081A40000000000000000000000015E7B82F9000003B4000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/handlers/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Handlers for Barbican Worker
- name: restart barbican worker
service:
name: "{{ barbican_worker_service_name }}"
state: "restarted"
sleep: "20"
# Handlers for Babrican worker config change
- name: barbican_worker_config_change
set_fact:
barbican_worker_restart_required: True
07070100000058000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/meta07070100000059000081A40000000000000000000000015E7B82F9000002C1000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/meta/main.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: barbican-common
- role: KEYMGR-API
0707010000005A000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks0707010000005B000081A40000000000000000000000015E7B82F900000284000000000000000000000000000000000000006400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/_configure_deployment_options.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
0707010000005C000081A40000000000000000000000015E7B82F9000009BF000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/configure.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: ../../barbican-common/tasks/_set_directories.yml
vars:
install_package_result: "{{ barbican_worker_install_result }}"
- name: KEYMGR-WKR | configure | Touch the log file
file:
path: "{{ item }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_centralized_log_group }}"
mode: 0640
state: touch
become: yes
with_items:
- "/var/log/barbican/barbican-worker.log"
- "/var/log/barbican/barbican-worker-json.log"
tags:
- barbican
- name: KEYMGR-WKR | configure | Configure the barbican worker logging conf
template:
src: "../../KEYMGR-API/templates/barbican.conf.j2"
dest: "{{ barbican_conf_dir }}/barbican-worker.conf"
mode: "0600"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
become: yes
register: ardana_notify_barbican_worker_restart_required
tags:
- barbican
- name: KEYMGR-WKR | configure | Configure the barbican worker logging conf
template:
src: "worker-logging.conf.j2"
dest: "{{ barbican_conf_dir }}/worker-logging.conf"
mode: "0600"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
become: yes
register: ardana_notify_barbican_worker_restart_required
tags:
- barbican
- name: KEYMGR-WKR | configure | Create barbican-worker symlinks
become: yes
file:
src: "{{ barbican_conf_dir }}/{{ item }}"
dest: "/etc/barbican/{{ item }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
state: "link"
with_items:
- worker-logging.conf
- barbican-worker.conf
tags:
- barbican
- name: KEYMGR-WKR | configure | Configure the barbican_worker script
become: yes
template:
src: "barbican_worker"
dest: "{{ barbican_bin_dir }}/barbican_worker"
mode: "0755"
register: ardana_notify_barbican_worker_restart_required
tags:
- barbican
0707010000005D000081A40000000000000000000000015E7B82F9000002B1000000000000000000000000000000000000005900000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/configure_features.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _configure_deployment_options.yml
0707010000005E000081A40000000000000000000000015E7B82F9000009F2000000000000000000000000000000000000004E00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/install.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-WKR | install | Update venv cache
become: yes
install_package:
cache: update
- name: KEYMGR-WKR | install | Install Barbican worker from barbican venv
become: yes
install_package:
name: barbican
service: "{{ barbican_worker_service_name }}"
state: present
activate: act_off
register: barbican_worker_install_result
notify: barbican_worker_config_change
tags:
- barbican
- name: KEYMGR-WKR | install | Install Barbican package result echo
debug:
msg: "barbican_worker_install_result =
{{ barbican_worker_install_result }}"
- include: ../../barbican-common/tasks/_set_directories.yml
vars:
install_package_result: "{{ barbican_worker_install_result }}"
- name: KEYMGR-WKR | install | Create barbican worker config directory
become: yes
file:
path: "{{ item.name }}"
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: "{{ item.mode }}"
state: "directory"
recurse: "yes"
with_items:
- { name: "{{ barbican_conf_dir }}", mode: "u+rwx,g+rx,o+rx" }
tags:
- barbican
- name: KEYMGR-WKR | install | Register barbican-worker as a service
become: yes
setup_systemd:
service: "{{ barbican_worker_service_name }}"
user: "{{ barbican_user }}"
group: "{{ barbican_group }}"
cmd: barbican_worker
args: >
--config-file "{{ barbican_conf_dir }}/barbican-worker.conf"
tags:
- barbican
- name: KEYMGR-WKR | install | print venv
debug:
msg: "Barbican worker venv dir = {{ barbican_venv_dir }},
bin dir = {{ barbican_bin_dir }}, conf dir = {{ barbican_conf_dir }},
share dir = {{ barbican_share_dir }}"
- name: KEYMGR-WKR | install | Create logging directory
become: yes
file:
path: /var/log/barbican
owner: "{{ barbican_user }}"
group: "{{ barbican_group }}"
mode: 0775
state: directory
tags:
- barbican
0707010000005F000081A40000000000000000000000015E7B82F900000776000000000000000000000000000000000000004C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/start.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Restart or start Barbican Worker
- name: KEYMGR-WKR | start | Activate the latest install
become: yes
install_package:
name: barbican-worker
service: "{{ barbican_worker_service_name }}"
activate: act_on
version: "{{ barbican_worker_install_result.version }}"
register: barbican_worker_activate_result
when: barbican_worker_install_result is defined
tags:
- barbican
- name: KEYMGR-WKR | start | Activate barbican worker result echo
debug:
msg: "barbican_worker_activate_result =
{{ barbican_worker_activate_result }}"
when: barbican_worker_activate_result is defined
- name: KEYMGR-WKR | start | Restart barbican-worker service
become: yes
service:
name: "{{ barbican_worker_service_name }}"
state: restarted
when: (ardana_notify_barbican_worker_restart_required is defined and
ardana_notify_barbican_worker_restart_required.changed and
barbican_worker_restarted_result is not defined)
or barbican_worker_restart_required
register: barbican_worker_restarted_result
tags:
- barbican
- name: KEYMGR-WKR | start | Ensure barbican-worker service is started
become: yes
service:
name: "{{ barbican_worker_service_name }}"
state: started
tags:
- barbican
07070100000060000081A40000000000000000000000015E7B82F90000031F000000000000000000000000000000000000004B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/tasks/stop.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: KEYMGR-WKR | stop | Stop Barbican Worker service/process
service:
name: "{{ barbican_worker_service_name }}"
state: stopped
become: yes07070100000061000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/templates07070100000062000081A40000000000000000000000015E7B82F9000000BF000000000000000000000000000000000000005600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/templates/barbican_worker#!/bin/bash
CONFIG_DIR={{ barbican_conf_dir }}
echo "Command line arguments: [$@]"
echo "Barbican worker process."
{{ barbican_bin_dir }}/python {{ barbican_bin_dir }}/barbican-worker $@
07070100000063000081A40000000000000000000000015E7B82F900000853000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/templates/worker-logging.conf.j2{#
#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
#}
[loggers]
keys: root, iso8601
[handlers]
keys: watchedfile, logstash
[formatters]
keys: debug,minimal, normal, logstash
###########
# Loggers #
###########
[logger_root]
qualname: root
handlers: watchedfile, logstash
level: NOTSET
[logger_iso8601]
qualname: iso8601
handlers: watchedfile, logstash
level: INFO
################
# Log Handlers #
################
# Writes to disk
[handler_watchedfile]
class: handlers.WatchedFileHandler
args: ('/var/log/barbican/barbican-worker.log',)
formatter = debug
level: {{ barbican_loglevel }}
# Writes JSON to disk, beaver will ship to logstash
[handler_logstash]
class: handlers.WatchedFileHandler
args: ('/var/log/barbican/barbican-worker-json.log',)
formatter= logstash
level: {{ barbican_logstash_loglevel }}
##################
# Log Formatters #
##################
[formatter_minimal]
format=%(message)s
[formatter_normal]
format=(%(name)s): %(asctime)s %(levelname)s %(message)s
[formatter_debug]
format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s
# datefmt must be set otherwise you end up with too many (msecs) fields
[formatter_context]
class: oslo_log.formatters.ContextFormatter
args: (datefmt=datefmt)
format: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s
datefmt: %Y-%m-%d %H:%M:%S
# the "format" attr actually sets the "type"
[formatter_logstash]
class = logstash.LogstashFormatterVersion1
format = barbican
07070100000064000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/vars07070100000065000081A40000000000000000000000015E7B82F9000002DD000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/KEYMGR-WKR/vars/main.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
wkr_ardanauser : "{{ ansible_env['USER'] }}"
wkr_ardanauser_home: "{{ ansible_env['HOME'] }}"
07070100000066000041ED0000000000000000000000065E7B82F900000000000000000000000000000000000000000000004100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common07070100000067000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/defaults07070100000068000081A40000000000000000000000015E7B82F900001C8B000000000000000000000000000000000000005300000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/defaults/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
barbican_home_dir: /home/barbican
barbican_user: barbican
barbican_group: barbican
barbican_centralized_log_group: adm
service: barbican
barbican_api_network_address: "{{ host.bind.KEYMGR_API.internal.ip_address }}"
barbican_api_port: "{{ host.bind.KEYMGR_API.internal.port }}"
barbican_bin_dir: "{{ service | bin_dir() }}"
barbican_conf_dir: "{{ service | config_dir() }}/{{service}}"
barbican_share_dir: "{{ service | share_dir() }}"
barbican_venv_dir: "{{ service | venv_dir }}"
barbican_unversioned_conf_dir: "{{ service | config_dir() }}/{{service}}"
barbican_admin_domain_name: "Default"
barbican_admin_role: "{{ KEYMGR_API.vars.barbican_admin_role | default (KEY_API.vars.keystone_admin_role) }}"
barbican_observer_role: "key-manager:observer"
barbican_creator_role: "key-manager:creator"
barbican_auditor_role: "key-manager:auditor"
barbican_service_admin_role: "key-manager:service-admin"
keystone_service_role: service
barbican_api_audit_enable: "{{ KEYMGR.audit.enabled }}"
barbican_audit_log_base_location: "{{ KEYMGR.audit.dir }}"
barbican_admin_user: "{{ KEYMGR_API.vars.barbican_admin_user }}"
barbican_admin_user_password: "{{ KEYMGR_API.vars.barbican_admin_password | quote }}"
barbican_service_user: "{{ KEYMGR_API.vars.barbican_service_user }}"
barbican_service_password: "{{ KEYMGR_API.vars.barbican_service_password | quote }}"
#barbican_service_password: '%random-password%'
barbican_api_conf_file: barbican.conf
barbican_api_service_name: barbican-api
barbican_worker_service_name: barbican-worker
# Keystone specific variables
keystone:
admin_user: "{{ KEY_API.vars.keystone_admin_user }}"
admin_password: "{{ KEY_API.vars.keystone_admin_pwd | quote }}"
default_domain_name: "{{ KEY_API.vars.keystone_default_domain }}"
admin_tenant_name: "{{ KEY_API.vars.keystone_admin_tenant }}"
service_tenant_name: "{{ KEY_API.vars.keystone_service_tenant }}"
admin_role: "{{ KEY_API.vars.keystone_admin_role }}"
auth_url: "{{ KEYMGR_API.consumes_KEY_API.vips.private[0].url }}"
identity_url: "{{ KEYMGR_API.consumes_KEY_API.vips.private[0].url }}"
admin_url: "{{ KEYMGR_API.consumes_KEY_API.vips.private[0].url }}"
ca_file: "{{ trusted_ca_bundle }}"
memcached_servers: "{% for x in KEYMGR.consumes_FND_MEM.members.private %}{{ x.host }}:{{ x.port }}{%if
not loop.last %},{% endif %}{% endfor %}"
memcache_secret_key: "{{ KEYMGR.consumes_FND_MEM.vars.memcached.barbican.secret_key | quote }}"
barbican_db_ca_file: "{{ trusted_ca_bundle }}"
barbican_database_connection_string: "mysql+pymysql://{{ KEYMGR_API.consumes_FND_MDB.vars.accounts.barbican.username }}:{{ KEYMGR_API.consumes_FND_MDB.vars.accounts.barbican.password | urlencode }}@{{ KEYMGR_API.consumes_FND_MDB.vips.private[0].host }}/barbican{% if KEYMGR_API.consumes_FND_MDB.vips.private[0].use_tls %}?ssl_ca={{ barbican_db_ca_file }}{% endif %}"
barbican_admin_vip_protocol: "{{ KEYMGR_API.advertises.vips.admin[0].protocol }}"
barbican_admin_vip_host: "{{ KEYMGR_API.advertises.vips.admin[0].host }}"
barbican_admin_vip_port: "{{ KEYMGR_API.advertises.vips.admin[0].port }}"
barbican_internal_vip_protocol: "{{ KEYMGR_API.advertises.vips.private[0].protocol }}"
barbican_internal_vip_host: "{{ KEYMGR_API.advertises.vips.private[0].host }}"
barbican_internal_vip_port: "{{ KEYMGR_API.advertises.vips.private[0].port }}"
barbican_public_vip_protocol: "{{ KEYMGR_API.advertises.vips.public[0].protocol }}"
barbican_public_vip_host: "{{ KEYMGR_API.advertises.vips.public[0].host }}"
barbican_public_vip_port: "{{ KEYMGR_API.advertises.vips.public[0].port }}"
barbican_internal_endpoint: "{{ KEYMGR_API.advertises.vips.private[0].url }}"
# Default master key used for store_crypto plugin
# Mainly defined for CI/CD processing.
#barbican_default_master_key: "3Z8QOImQyi2PAZUHjcqfxkcvZhPlHyXlH2wqjgwRpDI="
barbican_default_master_key: "{{ KEYMGR_API.vars.barbican_master_kek_db_plugin | b64encode }}"
# Value passed to barbican configuration, keep it blank
barbican_simple_crypto_master_key:
barbican_pkcs11_package_name:
barbican_pkcs11_slot_id: 1
barbican_pkcs11_generate_labels: False
barbican_secretstore_plugins:
barbican_enabled_crypto_plugins:
barbican_pkcs11_eskm_generate_conf: False
# ESKM specific path as defined in pkcs11 3rd party library.
barbican_pkcs11_eskm_connector_base_path: "/opt/hpe/eskm_pkcs11"
barbican_pkcs11_eskm_connector_library_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/lib/libhppkcs11.so"
barbican_pkcs11_eskm_connector_client_cert_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/cert.pem"
barbican_pkcs11_eskm_connector_client_key_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/privkey.pem"
barbican_pkcs11_eskm_connector_client_cacert_path: "{{ barbican_pkcs11_eskm_connector_base_path }}/conf/ca.pem"
barbican_pkcs11_eskm_kmip_host:
barbican_pkcs11_eskm_kmip_port: 5696
barbican_pkcs11_project_kek_cache_ttl_secs: 900
barbican_pkcs11_project_kek_cache_size: 100
# Message queue variables
_mq_hosts_list: "{{ KEYMGR_API.consumes_FND_RMQ.members.private | default (KEYMGR_API.consumes_FND_RMQ.members.public) }}"
barbican_control_exchange: openstack
barbican_notification_driver: log
barbican_rabbit_user: "{{ KEYMGR.consumes_FND_RMQ.vars.accounts.barbican.username }}"
barbican_rabbit_password: "{{ KEYMGR.consumes_FND_RMQ.vars.accounts.barbican.password }}"
barbican_rabbit_use_ssl: "{{ KEYMGR.consumes_FND_RMQ.members.private[0].use_tls }}"
barbican_rabbit_hosts_url: >
{%- for x in _mq_hosts_list -%}
{{ barbican_rabbit_user }}:{{ barbican_rabbit_password }}@{{ x.host }}:{{ x.port }}{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
barbican_transport_url: "rabbit://{{ barbican_rabbit_hosts_url }}//"
barbican_api_ssl_client_key: "{{ barbican_conf_dir }}/ssl/certs/client.key"
barbican_api_ssl_client_cert: "{{ barbican_conf_dir }}/ssl/certs/client.crt"
barbican_api_ssl_ca_cert: "{{ barbican_conf_dir }}/ssl/certs/ca.crt"
barbican_kmip_client_key_path: "/etc/barbican/ssl/certs/kmip_client.key"
barbican_kmip_client_cert_path: "/etc/barbican/ssl/certs/kmip_client.crt"
barbican_kmip_client_cacert_path: "/etc/barbican/ssl/certs/kmip_ca.crt"
barbican_host_set: "{{ groups[verb_hosts.KEYMGR_API] | default([]) }}"
# Barbican database version, head means version as per included barbican code base
# Please see https://github.com/openstack/barbican/blob/stable/liberty/barbican/cmd/db_manage.py#L72
barbican_db_version: head
# flag set in configure playbooks to trigger services handlers to restart
barbican_restart_required: False
barbican_api_restart_required: False
barbican_worker_restart_required: False
barbican_api_reload_required: False
07070100000069000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/meta0707010000006A000081A40000000000000000000000015E7B82F900000263000000000000000000000000000000000000004F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/meta/main.yml# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: tls-vars
0707010000006B000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks0707010000006C000081A40000000000000000000000015E7B82F90000066B000000000000000000000000000000000000006500000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/_read_existing_master_key.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: barbican-common | _read_existing_master_key |
Read existing master keks from controller
shell:
crudini --get /etc/barbican/{{ barbican_api_conf_file }}
simple_crypto_plugin kek | sed s/\"//g
ignore_errors: yes
become: yes
register: barbican_existing_master_kek_result
when:
barbican_customer_master_key is undefined or
not barbican_customer_master_key
- name: barbican-common | _read_existing_master_key |
Use existing master key from controller if present
ignore_errors: yes
set_fact:
barbican_simple_crypto_master_key:
"{{ barbican_existing_master_kek_result.stdout }}"
when:
barbican_customer_master_key is undefined or
not barbican_customer_master_key
- name: barbican-common | _read_existing_master_key |
Use customer master key if defined
set_fact:
barbican_simple_crypto_master_key:
"{{ barbican_customer_master_key }}"
when:
barbican_customer_master_key is defined and
barbican_customer_master_key
0707010000006D000081A40000000000000000000000015E7B82F900000418000000000000000000000000000000000000005D00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/_schedule_restart.yml#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: barbican-common | _schedule_restart |
Schedule a restart for barbican-api
debug:
msg: "Trigger a change notification in barbican-api"
changed_when: true
register: ardana_notify_barbican_api_restart_required
- name: barbican-common | _schedule_restart |
Schedule a restart for barbican-worker
debug:
msg: "Trigger a change notification in barbican-worker"
changed_when: true
register: ardana_notify_barbican_worker_restart_required
0707010000006E000081A40000000000000000000000015E7B82F900000696000000000000000000000000000000000000005C00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/_set_directories.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: barbican-common | _set_directories |
set service etc directory - configure
set_fact:
barbican_bin_dir:
"{{ component_service_name | bin_dir(install_package_result.version) }}"
barbican_conf_dir:
"{{ component_service_name | config_dir(install_package_result.version)
}}/{{ service }}"
barbican_share_dir:
"{{ component_service_name | share_dir(install_package_result.version) }}"
barbican_venv_dir:
"{{ component_service_name | venv_dir(install_package_result.version) }}"
when: install_package_result.version is defined
- name: barbican-common | _set_directories |
set service etc directory - reconfigure
set_fact:
barbican_bin_dir:
"{{ component_service_name | bin_dir() }}"
barbican_conf_dir:
"{{ component_service_name | config_dir() }}/{{ service }}"
barbican_share_dir:
"{{ component_service_name | share_dir() }}"
barbican_venv_dir: "{{ component_service_name | venv_dir }}"
when: install_package_result.version is undefined
0707010000006F000081A40000000000000000000000015E7B82F900000985000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/tasks/main.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: barbican-common | main | include OS specific variables
include_vars: "{{ ansible_os_family | lower }}.yml"
- name: barbican-common | main |
Include vars file with customer barbican configuration values
include_vars: barbican_deploy_config.yml
tags:
- barbican
- barbican_debug
- include: _read_existing_master_key.yml
- name: barbican-common | main |
Set max api worker count to 8 if dynamic CPU based count is less than 8
set_fact:
barbican_api_max_worker_count: 8
when: barbican_api_max_worker_count < 8
tags:
- barbican
- name: barbican-common | main |
Increase max api worker count by 4 if incorrectly set to be less than min
count value.
debug:
msg: "WARNING Barbican API max worker count
[{{ barbican_api_max_worker_count }}] must be greater than
min worker count [{{ barbican_api_min_worker_count }}].
Setting max count to be greater by 4."
tags:
- barbican
when: barbican_api_max_worker_count|int <= barbican_api_min_worker_count|int
- name: barbican-common | main |
Increase max api worker count by 4 if its not set to be greater than min
count value.
set_fact:
barbican_api_max_worker_count: "{{ barbican_api_min_worker_count + 4 }}"
when: barbican_api_max_worker_count|int <= barbican_api_min_worker_count|int
tags:
- barbican
- name: barbican-common | main |
Display variables that are configured for KEYMGR-API
debug:
var: KEYMGR_API
tags:
- barbican
- barbican_debug
when: barbican_debug is defined
run_once: True
- name: barbican-common | main | Display variables for the inventory host
debug:
var: hostvars[inventory_hostname]
tags:
- barbican
- barbican_debug
when: barbican_debug is defined
run_once: True
07070100000070000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004600000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars07070100000071000081A40000000000000000000000015E7B82F900001539000000000000000000000000000000000000006100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars/barbican_deploy_config.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Possible log levels are INFO/DEBUG/WARN/ERROR
barbican_loglevel: "{{ ardana_loglevel | default('INFO') }}"
barbican_logstash_loglevel: "{{ ardana_loglevel | default('INFO') }}"
#########################################################################################
# Using uwsgi adaptive process spawning to dynamically scale workers.
# See http://uwsgi-docs.readthedocs.org/en/latest/Cheaper.html
# cheaper-algo = spare, cheaper = 4 (min count), cheaper-initial = 6
# Set maximum number of workers that can be spawned. Max value is dynamically
# calculated based on underlying hardware capability.
# If dynamically calculated value is less than 8, then 8 is used.
# Max count needs to be greater than min count (below). If its set to lower or equal
# value, then max count is updated to be 4 higher than min count.
barbican_api_max_worker_count: "{{ ansible_processor_count * ansible_processor_cores * 2| default('8') }}"
# Minimum number of idle workers to be kept running.
barbican_api_min_worker_count: 4
# Number of workers to create at barbican api server startup
#barbican_api_initial_worker_count: 6
barbican_api_initial_worker_count: 4
# Multi-processing is used instead of threading. Threads are kept 1
# Python threading is useful in high IO load interactions.
barbican_api_threads_count: 1
#########################################################################################
# Customer provided master key during first time barbican initial deployment.
# The key should be a 32-byte value which is base64 encoded.
# This value must be set before cloud deployment (with site.yml) starts.
# Note: Master key should not be changed as there can be existing entries using
# this key for encrypting barbican project kek and secrets.
# barbican_customer_master_key: "3Z8QOImQyi2PAZUHjcqfxkcvZhPlHyXlH2wqjgwRpDI="
barbican_customer_master_key:
#######################################################################
#################### KMIP Plugin Configuration Section #################
#######################################################################
# Flag to reflect whether KMIP plugin is to be used as backend for storing secrets
use_kmip_secretstore_plugin: False
# Note: Connection username needs to match with 'Common Name' provided
# in client cert request (CSR).
barbican_kmip_username:
barbican_kmip_password:
barbican_kmip_host:
barbican_kmip_port:
###############################################################################
#################### PKCS11 Crypto Plugin Configuration Section ###############
###############################################################################
# Set to True when want to use PKCS11 crypto plugin. This plugin stores project
# level kek and master kek in PKCS11 compatible HSM device. Encrypted keys are
# stored in DB using 'store_crypto' secret store plugin. A deployment can use
# HSM device either via PKCS11 crypto model or KMIP plugin model. Both cannot
# be enabled within a single barbican deployment.
use_pkcs11_crypto_plugin: False
barbican_pkcs11_session_password:
barbican_pkcs11_mkek_label:
barbican_pkcs11_hmac_label:
# There is a in-memory cache used with pkcs11 interaction where object handle
# (pointer) to project kek (key encryption key) is stored. This handle is a
# reference to key which is created in HSM as part of unwrap (register/import)
# of 'wrapped_key' column in 'kek_data' table. This handle is added to cache
# when project kek is needed first time on that specific barbican node/process.
# These object handles are destoryed in HSM only when expired handle is
# accessed or cache size limit is reached. This cache cannot be disabled though
# value of ttl seconds or size limit can be reduced if need to limit caching
# behavior.
# pkcs11 project kek (key encryption key) cache time to live (expiry) seconds.
barbican_pkcs11_project_kek_cache_ttl_secs: 900
# pkcs11 project kek (key encryption key) cache max size.
barbican_pkcs11_project_kek_cache_size: 100
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# Change here if it needs to be different from default
barbican_pkcs11_slot_id: 1
# Flag to set to True if ESKM is used as HSM otherwise keep it False.
# With following flag set to True, playbook will use ESKM predefined path
# so those are not required in that case.
barbican_pkcs11_provider_is_eskm:
barbican_pkcs11_eskm_kmip_host:
barbican_pkcs11_eskm_kmip_port:
# Following are required paths on controller nodes related to PKCS11 setup.
# With flag barbican_pkcs11_provider_is_eskm as True, following paths are not
# required as default expected paths are used for ESKM PKCS11 library.
barbican_pkcs11_library_path:
barbican_pkcs11_client_cert_path:
barbican_pkcs11_client_key_path:
barbican_pkcs11_client_cacert_path:
07070100000072000081A40000000000000000000000015E7B82F9000002DA000000000000000000000000000000000000005100000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars/debian.yml#
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
barbican_package_dependencies:
- python-dev
- libffi-dev
- libssl-dev
- libmysqlclient18
- libldap2-dev
- libsasl2-dev
- python-httplib207070100000073000081A40000000000000000000000015E7B82F9000002D4000000000000000000000000000000000000004F00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-common/vars/suse.yml#
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
barbican_package_dependencies:
- apache2-mod_wsgi
- libffi4
- libmysqlclient18
- libopenssl1_0_0
- logrotate
- python-httplib2
07070100000074000041ED0000000000000000000000065E7B82F900000000000000000000000000000000000000000000004200000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor07070100000075000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/defaults07070100000076000081A40000000000000000000000015E7B82F9000002E6000000000000000000000000000000000000005400000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/defaults/main.yml#
# (c) Copyright 2020 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
ardana_node_cert: /etc/ssl/private/ardana-node-cert
# certificate only, for monitoring purpose
ardana_node_cert_monitoring: /etc/ssl/ardana-node-cert-monitoring.pem
07070100000077000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/meta07070100000078000081A40000000000000000000000015E7B82F9000002D4000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/meta/main.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
dependencies:
- role: barbican-common
- {role: monasca-agent, run_mode: Use}07070100000079000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004800000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks0707010000007A000081A40000000000000000000000015E7B82F900000687000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks/configure_tls.yml#
# (c) Copyright 2020 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# NOTE(gyee): Since the provisioned TLS server certificate is consisted of
# both certificate and private key, we need to separate out the certificate
# protion for monitoring without having to compromise the private key.
# This is done by copying the certificate to a different file and make it
# readable by the world. Making certificate readable by the world is NOT a
# problem as it is TLS certificate is public information.
- name: barbican-monitor | configure_tls | Separate out ardana node TLS cert
become: yes
shell: >
openssl x509 -in {{ ardana_node_cert }}
-out {{ ardana_node_cert_monitoring }} -outform PEM
- name: barbican-monitor | configure_tls |
Make sure ardana node monitoring cert is readable
become: yes
file:
path: "{{ ardana_node_cert_monitoring }}"
mode: '0644'
- name: barbican-monitor | configure_tls |
Run Monasca detection plugin for ardana node cert
become: yes
monasca_agent_plugin:
name: CertificateFileCheck
args:
cert_files: "{{ ardana_node_cert_monitoring }}"
dimensions: "service:barbican"
0707010000007B000081A40000000000000000000000015E7B82F9000006C8000000000000000000000000000000000000005A00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks/local_monitor.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
- name: barbican-monitor | local_monitor |
Set up check on barbican wsgi process and admin endpoint locally
become: yes
monasca_agent_plugin:
name: "barbican"
args: "disable_http_check=yes"
tags:
- barbican
- barbican_monitor
- name: barbican-monitor | local_monitor |
Setup active check on barbican internal
become: yes
monasca_agent_plugin:
name: "httpcheck"
args: >
use_keystone=False
url=http://{{ barbican_api_network_address }}:{{ item.port }}
dimensions=service:key-manager,component:barbican-api,api_endpoint:{{ item.api_endpoint }},monitored_host_type:instance
with_items:
- [{ api_endpoint: 'internal', port: "{{ barbican_internal_vip_port }}"} ]
tags:
- barbican
- barbican_monitor
- name: barbican-monitor | local_monitor | Check ardana-node-cert
become: yes
stat:
path: "{{ ardana_node_cert }}"
register: ardana_node_cert_check_result
- name: barbican-monitor | local_monitor | Monitor ardana-node-cert
include: configure_tls.yml
when: ardana_node_cert_check_result.stat.exists
0707010000007C000081A40000000000000000000000015E7B82F900000447000000000000000000000000000000000000005B00000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/tasks/remote_monitor.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
- name: barbican-monitor | remote_monitor |
Setup http check against Barbican VIP
become: yes
monasca_agent_plugin:
name: "httpcheck"
args: >
use_keystone=False
url={{ item.url }}/
dimensions=service:key-manager,component:barbican-api,api_endpoint:{{ item.api_endpoint }},monitored_host_type:vip
with_items:
- { api_endpoint: 'internal', url: "{{ barbican_internal_endpoint }}"}
tags:
- barbican_monitor
0707010000007D000041ED0000000000000000000000025E7B82F900000000000000000000000000000000000000000000004700000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/vars0707010000007E000081A40000000000000000000000015E7B82F9000002D9000000000000000000000000000000000000005000000000ardana-barbican-8.0+git.1585152761.8ef3d61/roles/barbican-monitor/vars/main.yml#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
ardanauser : "{{ ansible_env['USER'] }}"
ardanauser_home: "{{ ansible_env['HOME'] }}"07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!442 blocks
