Barbican role for OpenStack-Ansible

Barbican role for OpenStack-Ansible

This Ansible role installs and configures OpenStack barbican.

To clone or view the source code for this repository, visit the role repository for os_barbican.

Default variables

## Verbosity Options
debug: False

# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
barbican_package_state: "latest"
barbican_pip_package_state: "latest"

# Toggle keystone authentication for barbican
barbican_keystone_auth: no

## System info
barbican_system_group_name: barbican
barbican_system_user_name: barbican
barbican_system_user_comment: Barbican System User
barbican_system_user_shell: /bin/false
barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}"
barbican_log_directory: /var/log/barbican
barbican_etc_directory: /etc/barbican
barbican_vassals_directory: "{{ barbican_etc_directory }}/vassals"

#Aodh services info
barbican_api_program_name: barbican-api
barbican_keystone_listener_program_name: barbican-keystone-listener
barbican_worker_program_name: barbican-worker
barbican_retry_program_name: barbican-retry
barbican_uwsgi_program_name: uwsgi
barbican_uwsgi_options: "--master --die-on-term --emperor {{ barbican_vassals_directory }}"

## Service Type and Data
barbican_service_name: barbican
barbican_service_user_name: barbican
barbican_service_type: key-manager
barbican_service_description: "OpenStack Key and Secrets Management (Barbican)"
  - "key-manager:service-admin"
  - creator
  - observer
  - audit
  - admin
  - creator
barbican_service_region: RegionOne
barbican_service_host: ""
barbican_service_port: 9311
barbican_service_proto: http
barbican_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(barbican_service_proto) }}"
barbican_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(barbican_service_proto) }}"
barbican_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(barbican_service_proto) }}"
barbican_service_publicurl: "{{ barbican_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ barbican_service_port }}"
barbican_service_internalurl: "{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
barbican_service_adminurl: "{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"

barbican_config_overrides: {}
barbican_policy_overrides: {}
barbican_paste_overrides: {}
barbican_api_audit_map_overrides: {}
barbican_vassals_api_overrides: {}

## Toggle developer mode
barbican_developer_mode: false

## The git source/branch
barbican_git_repo: ""
barbican_git_install_branch: "stable/queens"

## The packages to build from source (used in developer mode)
  - "git+{{ barbican_git_repo }}@{{ barbican_git_install_branch }}#egg=barbican"

# Name of the virtual env to deploy into
barbican_venv_tag: untagged
barbican_bin: "/openstack/venvs/barbican-{{ barbican_venv_tag }}/bin"

# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
barbican_venv_download: "{{ not barbican_developer_mode | bool }}"
# URL of the pre-built virtualenv

# Database vars
barbican_galera_database: barbican
barbican_galera_user: barbican
barbican_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
barbican_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"

# Rabbit vars
barbican_rabbitmq_userid: barbican
barbican_rabbitmq_vhost: /barbican

# Keystone AuthToken/Middleware
barbican_keystone_auth_plugin: password
barbican_service_project_domain_id: default
barbican_service_user_domain_id: default
barbican_service_project_name: service

# Apache configuration vars
barbican_wsgi_processes_max: 16
barbican_wsgi_processes: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, barbican_wsgi_processes_max] | min }}"
barbican_wsgi_threads: 1
barbican_apache_log_level: info
barbican_apache_servertokens: "Prod"
barbican_apache_serversignature: "Off"

barbican_ssl: false
barbican_ssl_cert: /etc/ssl/certs/barbican.pem
barbican_ssl_key: /etc/ssl/private/barbican.key
barbican_ssl_ca_cert: /etc/ssl/certs/barbican-ca.pem
barbican_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
barbican_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"

# if using a self-signed certificate, set this to true to regenerate it
barbican_ssl_self_signed_regen: false
barbican_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

# Set these in user_variables to deploy custom certificates
#barbican_user_ssl_cert: <path to cert on ansible deployment host>
#barbican_user_ssl_key: <path to cert on ansible deployment host>
#barbican_user_ssl_ca_cert: <path to cert on ansible deployment host>

# packages required to execute the role
  - virtualenv
  - python-keystoneclient # Keystoneclient needed by OSA keystone lib

# packages required to run the barbican service
  - barbican
  - PyMySQL
  - python-memcached
  - uwsgi

# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
barbican_role_project_group: barbican_all

barbican_uwsgi_init_overrides: {}


This role needs pip >= 7.1 installed on the target host.

This role requires the following variables to be defined:


Example playbook

- name: Install barbican server
  hosts: barbican_all
  user: root
   - role: "os_barbican"
   barbican_galera_address: "{{ internal_lb_vip_address }}"
   barbican_service_password: SuperSecretePassword1
   barbican_galera_password: SuperSecretePassword2
   barbican_rabbitmq_password: SuperSecretePassword3
   keystone_admin_user_name: admin
   keystone_auth_admin_password: SuperSecretePassword4
   keystone_admin_tenant_name: admin


This role supports two tags: barbican-install and barbican-config. The barbican-install tag can be used to install and upgrade. The barbican- config tag can be used to maintain configuration of the service.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.