Add support for encrypting Barbican API

This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network

ansible/roles/barbican/defaults/main.yml

@@ -16,12 +16,14 @@ barbican_services:
         external: false
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
       barbican_api_external:
         enabled: "{{ enable_barbican }}"
         mode: "http"
         external: true
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
   barbican-keystone-listener:
     container_name: barbican_keystone_listener
     group: barbican-keystone-listener
@@ -142,3 +144,8 @@ barbican_ks_roles:
   - "{{ barbican_creator_role }}"
   - "{{ barbican_observer_role }}"
   - "{{ barbican_audit_role }}"
+
+####################
+# TLS
+####################
+barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

ansible/roles/barbican/tasks/config.yml

@@ -49,7 +49,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool
 
 - name: Copying over config.json files for services
   template:

ansible/roles/barbican/templates/barbican-api.ini.j2

 [uwsgi]
-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
-protocol = http
+{% if barbican_enable_tls_backend | bool %}
+https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem
+{% else %}
+http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
+{% endif %}
 processes = {{ openstack_service_workers }}
 lazy = true
 vacuum = true

ansible/roles/barbican/templates/barbican-api.json.j2

@@ -19,7 +19,19 @@
             "owner": "barbican",
             "perm": "0600",
             "optional": true
-        }{% if barbican_policy_file is defined %},
+        }{% if barbican_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/barbican-cert.pem",
+            "dest": "/etc/barbican/certs/barbican-cert.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/barbican-key.pem",
+            "dest": "/etc/barbican/certs/barbican-key.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        }{% endif %}{% if barbican_policy_file is defined %},
         {
             "source": "{{ container_config_directory }}/{{ barbican_policy_file }}",
             "dest": "/etc/barbican/{{ barbican_policy_file }}",

releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml

@@ -2,7 +2,7 @@
 features:
   - |
     Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
-    When used in conjunction with enabling TLS for service API endpoints,
-    network communcation will be encrypted end to end, from client through
-    HAProxy to the backend service.
+    to the Keystone, Glance, Heat, Placement, Horizon, Barbican, and Cinder
+    services. When used in conjunction with enabling TLS for service API
+    endpoints, network communcation will be encrypted end to end, from client
+    through HAProxy to the backend service.