From 2e08ffd6d3104b784cbdbe2a8a2f37cb98ff43d3 Mon Sep 17 00:00:00 2001
From: James Kirsch <generalfuzz@gmail.com>
Date: Thu, 7 May 2020 15:49:56 -0700
Subject: [PATCH] Add support for encrypting Barbican API

This patch introduces an optional backend encryption for the Barbican
API service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Barbican service.

Change-Id: I62a43b36ebe4a03230bf944980b45e4b6938871b
Partially-Implements: blueprint add-ssl-internal-network
---
 ansible/roles/barbican/defaults/main.yml           |  7 +++++++
 ansible/roles/barbican/tasks/config.yml            |  2 +-
 .../roles/barbican/templates/barbican-api.ini.j2   |  7 +++++--
 .../roles/barbican/templates/barbican-api.json.j2  | 14 +++++++++++++-
 .../encrypt-backend-haproxy-fb96285d74fb464c.yaml  |  8 ++++----
 5 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml
index 37c47bbd5..c09cac06a 100644
--- a/ansible/roles/barbican/defaults/main.yml
+++ b/ansible/roles/barbican/defaults/main.yml
@@ -16,12 +16,14 @@ barbican_services:
         external: false
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
       barbican_api_external:
         enabled: "{{ enable_barbican }}"
         mode: "http"
         external: true
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
   barbican-keystone-listener:
     container_name: barbican_keystone_listener
     group: barbican-keystone-listener
@@ -142,3 +144,8 @@ barbican_ks_roles:
   - "{{ barbican_creator_role }}"
   - "{{ barbican_observer_role }}"
   - "{{ barbican_audit_role }}"
+
+####################
+# TLS
+####################
+barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml
index 51eb889da..5fbf03172 100644
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@@ -49,7 +49,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool
 
 - name: Copying over config.json files for services
   template:
diff --git a/ansible/roles/barbican/templates/barbican-api.ini.j2 b/ansible/roles/barbican/templates/barbican-api.ini.j2
index 302cf98d5..706d9e8d2 100644
--- a/ansible/roles/barbican/templates/barbican-api.ini.j2
+++ b/ansible/roles/barbican/templates/barbican-api.ini.j2
@@ -1,6 +1,9 @@
 [uwsgi]
-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
-protocol = http
+{% if barbican_enable_tls_backend | bool %}
+https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem
+{% else %}
+http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
+{% endif %}
 processes = {{ openstack_service_workers }}
 lazy = true
 vacuum = true
diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2
index 79a3ac263..e28191aae 100644
--- a/ansible/roles/barbican/templates/barbican-api.json.j2
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@@ -19,7 +19,19 @@
             "owner": "barbican",
             "perm": "0600",
             "optional": true
-        }{% if barbican_policy_file is defined %},
+        }{% if barbican_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/barbican-cert.pem",
+            "dest": "/etc/barbican/certs/barbican-cert.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/barbican-key.pem",
+            "dest": "/etc/barbican/certs/barbican-key.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        }{% endif %}{% if barbican_policy_file is defined %},
         {
             "source": "{{ container_config_directory }}/{{ barbican_policy_file }}",
             "dest": "/etc/barbican/{{ barbican_policy_file }}",
diff --git a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
index bfe710a8b..72bb28801 100644
--- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
@@ -2,7 +2,7 @@
 features:
   - |
     Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
-    When used in conjunction with enabling TLS for service API endpoints,
-    network communcation will be encrypted end to end, from client through
-    HAProxy to the backend service.
+    to the Keystone, Glance, Heat, Placement, Horizon, Barbican, and Cinder
+    services. When used in conjunction with enabling TLS for service API
+    endpoints, network communcation will be encrypted end to end, from client
+    through HAProxy to the backend service.
-- 
GitLab